我正在尝试从我的机器 ssh 到另一台机器,然后从那里到第三台机器。当我手动执行此操作时,它的工作方式如下:
localhost$ scp ~/.ssh/id_rsa [email protected]:.
localhost$ ssh [email protected]
myhost.something.something.com$ ssh -i id_rsa [email protected]
10.25.100.42$
但我想直接一步完成。我希望本地主机的 SSH 密钥能够转发到第三台机器。我以为这样可行,但实际上不行:
localhost$ ssh -A -t [email protected] ssh 10.25.100.42
Permission denied (publickey).
Connection to myhost.something.something.com closed.
为什么?我怎样才能在单个命令中完成此操作localhost
?以下是我使用详细标志时可以看到的更多详细信息:
localhost$ ssh -v -A -t [email protected] ssh 10.25.100.42
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to myhost.something.something.com [X.X.X.X] port 22.
debug1: Connection established.
debug1: identity file /home/myuser/.ssh/id_rsa type 1
debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_dsa type -1
debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 62:d2:58:47:f7:c6:21:b4:a1:b0:cf:4e:44:42:e4:9a
debug1: Host 'myhost.something.something.com' is known and matches the RSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:255
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to myhost.something.something.com ([X.X.X.X]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Requesting authentication agent forwarding.
debug1: Sending command: ssh 10.25.100.42
debug1: client_input_channel_open: ctype [email protected] rchan 2 win 65536 max 16384
debug1: channel 1: new [authentication agent connection]
debug1: confirm [email protected]
Permission denied (publickey).
debug1: channel 1: FORCE input drain
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 2
debug1: channel 1: free: authentication agent connection, nchannels 1
Connection to myhost.something.something.com closed.
Transferred: sent 3532, received 3312 bytes, in 4.4 seconds
Bytes per second: sent 796.1, received 746.6
debug1: Exit status 255
答案1
如果您想要将连接转发到身份验证代理,则需要在您的机器上运行身份验证代理。您可以使用 检查它ssh-add -l
。如果它没有运行,请启动它并添加密钥:
eval `ssh-agent`
ssh-add ~/.ssh/id_rsa
# or other keys you want to use from the other server
然后通过-A
交换机连接到另一台服务器后,您将能够进一步使用此密钥进行身份验证:
local $ ssh -A [email protected]
something $ ssh-add -l # should list your key
something $ ssh 10.25.100.42
但你真正想要实现的是不同的。你想使用第一个主机作为跳转箱来连接到第二个主机,使用 ProxyCommand 可以让它变得更加方便:
ssh -oProxyCommand="ssh -W 10.25.100.42:22" [email protected]
或者更好的是.ssh/config
:
Host something
Hostname myhost.something.something.com
User myuser
Host second
Hostname 10.25.100.42
User myuser
ProxyCommand ssh -W %h:%p something
然后你就可以到达那里
ssh second