jump
我正在尝试通过服务器到内部子网上的服务器来使 ssh 链接工作target
,这样我就可以通过一个命令到达目标服务器。如果我通过两次跳转到达目标服务器,ssh 就会起作用:
local$ ssh -i=jump_rsa ec2@jump
jump$ ssh -i=target_rsa centos@target
target$
我想要做的是在一个命令中将这些 ssh 连接链接在一起,仅在本地机器上使用 ssh 私钥,因为我知道这是最安全的解决方案(当前跳转服务器上有一个私钥)。
但是我完全没能用一个命令将它们串联起来,而且我在调试问题时一无所获。这里可能出现的一个复杂情况是本地服务器是 Ubuntu,跳转服务器是 amazon linux,目标服务器是 centos7;所以我想知道这是否与它有关?
尝试 1 - 通过命令行
$ ssh -A -t -i jump_rsa [email protected] ssh -A -t -i target_rsa [email protected]
Warning: Identity file target_rsa not accessible: No such file or directory.
ssh: connect to host 10.0.0.214 port 22: No route to host
Connection to 18.134.xx.xx closed.
我尝试将密钥文件放在各处,并更改权限,但没有任何区别。使用 -v
Warning: Identity file target_rsa not accessible: No such file or directory.
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 10.0.0.214 [10.0.0.214] port 22.
debug1: connect to address 10.0.0.214 port 22: No route to host
ssh: connect to host 10.0.0.214 port 22: No route to host
Connection to 18.134.xx.xx closed.
我正在尝试做的事情是否可能有很多例子,但没有一个像我尝试的那样使用两个关键文件引用。
尝试 2 - 通过 .ssh/config 文件和代理命令
# .ssh/config
Host jump
Hostname 18.134.xx.xx
User ec2-user
Port 22
IdentityFile /home/path/to/jump_rsa
Host target
Hostname 10.0.0.214
User centos
IdentityFile /home/path/to/target_rsa
Port 22
ProxyCommand ssh -q W %h:%p jump
该命令ssh jump
可以正常工作,可以到达跳转服务器,但是ssh target
失败,如下所示:
$ ssh target -v
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/peter/.ssh/config
debug1: /home/peter/.ssh/config line 16: Applying options for target
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -q W 10.0.0.214:22 jump
debug1: identity file /home/path/to/target_rsa type -1
debug1: identity file /home/path/to/target_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
kex_exchange_identification: Connection closed by remote host
我觉得我在这里遗漏了一些明显的东西,但又看不出是什么。
更新...
尝试 3 - 通过 -J
尝试了 -J 选项,这个选项更有帮助,并且其中有一些有趣的错误。但仍然不起作用。
$ ssh -J jump target -v
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/peter/.ssh/config
debug1: /home/peter/.ssh/config line 16: Applying options for target
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' jump
debug1: Executing proxy command: exec ssh -v -W '[10.0.0.214]:22' jump
debug1: identity file /home/path/to/target_rsa type -1
debug1: identity file /home/path/to/target_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/peter/.ssh/config
debug1: /home/peter/.ssh/config line 10: Applying options for jump
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 18.134.xx.xx [18.134.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/path/to/jump_rsa type -1
debug1: identity file /home/path/to/jump_rsa_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 18.134.xx.xx:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:302ZU2HdNyCd7uk+oGiKxoXKe+7eIYRIFNEFzAt9UJU
debug1: Host '18.134.xx.xx' is known and matches the ECDSA host key.
debug1: Found key in /home/peter/.ssh/known_hosts:31
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/path/to/jump_rsa explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Next authentication method: publickey
debug1: Trying private key: /home/peter/path/to/jump_rsa
debug1: Authentication succeeded (publickey).
Authenticated to 18.134.xx.xx ([18.134.xx.xx]:22).
debug1: channel_connect_stdio_fwd 10.0.0.214:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
channel 0: open failed: connect failed: No route to host
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
# .ssh/config
Host jump
Hostname 18.134.xx.xx
User ec2-user
Port 22
IdentityFile /home/path/to/jump_rsa
Host target
Hostname 10.0.0.214
User centos
IdentityFile /home/path/to/target_rsa
Port 22
答案1
OpenSSHssh
有专门用于此的-J
开关或选项。ProxyJump
从man ssh
:
—J 目的地
首先连接到目标主机远程控制连接到跳转主机目的地然后从那里建立到最终目的地的 TCP 转发。可以用逗号分隔指定多个跳转。这是指定代理跳转配置指令。请注意,命令行上提供的配置指令通常适用于目标主机,而不是任何指定的跳转主机。使用〜/.ssh /配置指定跳转主机的配置。
答案2
解决方案是按照 Ginnungagap 的建议使用 -J 选项。但我看到的问题(至少在尝试 3 中)是由于目标服务器上的权限太松。一旦我设置了它们(通过也安装公钥的 user_data 引导脚本),一切都正常了。
完整解决方案:
- 确保任何 centos 节点都设置了以下权限(对其他版本的 Linux 也没有损害)
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
- 在本地机器上配置~/.ssh.config文件,如下所示:
# Speed up ssh by disabling this, as N/A for AWS
Host *
GSSAPIAuthentication no
Host jump
Hostname 35.178.207.12
# Amazon Linux = ec2-user, Ubuntu = ubuntu, CentOS = centos
User ec2-user
Port 22
IdentityFile /path/to/bastion_rsa
Host target
Hostname 10.0.0.145
# Amazon Linux = ec2-user, Ubuntu = ubuntu, CentOS = centos
User centos
IdentityFile /path/to/target_rsa
Port 22
- 使用以下命令连接目标服务器:
ssh -J jump target
避免需要在跳转服务器上安装任何私钥。