我登录了一个名为 Walnut 的服务器,然后尝试从该服务器登录另一个名为 Hazelnut 的服务器。
local machine (mac) ---ssh---> Walnut ---ssh---> Hazelnut
第一次 ssh(从我的本地机器到 Walnut)运行顺利。
但是,第二个 ssh 命令却拒绝了我的权限。
以下是我执行此操作时日志所显示的内容ssh -v -A Haezlnut
。
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to Hazelnut [address] port [port].
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_rsa-cert type -1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: identity file /home/username/.ssh/id_dsa-cert type -1
debug1: identity file /home/username/.ssh/id_ecdsa type -1
debug1: identity file /home/username/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u2
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: [Host key]
debug1: Host 'Hazelnut' is known and matches the ECDSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/username/.ssh/id_rsa
debug1: Trying private key: /home/username/.ssh/id_dsa
debug1: Trying private key: /home/username/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).
因此,我认为日志清楚地表明它无法在最后找到密钥文件。令人困惑的是,由于私钥驻留在本地 mac 机器中,它应该在 中查找文件/Users/username/.ssh/
,而不是/home/username/.ssh/
。第一个 ssh 命令(从本地到 Walnut)可以很好地完成此操作,但第二个命令(从 Walnut 到 Hazelnut)不知何故弄乱了它。
更令人困惑的是,同样的过程在许多其他看似相同的 Mac 机器上也能完美运行。如果您尝试使用任何其他 Mac 机器从 Walnut 通过 ssh 进入 Hazelnut,它会尝试在正确的 () 目录中查找密钥文件/Users/username/.ssh
。
以前有人遇到过这个问题吗?
答案1
您需要walnut
从您的 Mac 使用此命令使您的 ssh 代理可用:ssh -A walnut
然后通过 ssh 连接到 hazelnut。
但这样做被认为是不好的做法,因为它会将您的代理暴露给远程机器。如果攻击者在 walnut 上,他们可能会窃取您的私钥。
或者挖隧道到榛子。虽然有很多方法可以做到这一点……
使用-J
选项 - 选项的快捷方式ProxyJump
(需要 openssh ver. 7.3+ ):
ssh -J <jumphost> <target>
跳转主机上使用netcat的ProxyCommand选项:
ssh -o ProxyCommand="ssh %h nc <target> 22" <jumphost>
或者使用 -W 选项的 ProxyCommand:
ssh -o ProxyCommand="ssh -W %h:%p <jumphost>" <target>
proxycommand
或配置指令ProxyJump
也可以放在 ssh 配置文件中,以达到同样的效果