主页 / server / 问题 / 1044142
Accepted
P Burke
Asked: 2020-11-28 06:58:56 +0800 CST

ssh 与本地密钥文件链接 - 这应该如何工作?

  • 772

我试图让 ssh 链接通过jump服务器工作到target内部子网上的服务器,所以我可以通过一个命令到达目标服务器。如果我在两跳中到达目标服务器,则 ssh'ing 有效:

local$ ssh -i=jump_rsa ec2@jump
jump$ ssh -i=target_rsa centos@target
target$

我想要做的是在一个命令中将这些 ssh 连接链接在一起,仅在本地机器上使用 ssh 私钥,据我所知,这是最安全的解决方案(目前在跳转服务器上有一个私钥)。

但是,我完全没有在一个命令中将这些链接在一起,并且我在尝试调试问题时画了一个空白。这里一个可能的复杂情况是,本地服务器是Ubuntu,跳转服务器是amazon linux,目标服务器是centos7;所以我想知道这是否与它有关?

尝试 1 - 通过命令行

$ ssh -A -t -i jump_rsa [email protected] ssh -A -t -i target_rsa [email protected]
Warning: Identity file target_rsa not accessible: No such file or directory.
ssh: connect to host 10.0.0.214 port 22: No route to host
Connection to 18.134.xx.xx closed.

我已经尝试将密钥文件放在任何地方,并更改权限,这没有任何区别。与 -v

Warning: Identity file target_rsa not accessible: No such file or directory.
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 10.0.0.214 [10.0.0.214] port 22.
debug1: connect to address 10.0.0.214 port 22: No route to host
ssh: connect to host 10.0.0.214 port 22: No route to host
Connection to 18.134.xx.xx closed.

是我想要做的甚至可能有很多例子,但没有一个像我试图做的那样使用两个关键文件引用。

尝试 2 - 通过 .ssh/config 文件和代理命令

# .ssh/config
Host jump
  Hostname 18.134.xx.xx
  User ec2-user
  Port 22
  IdentityFile /home/path/to/jump_rsa
  
Host target
  Hostname 10.0.0.214
  User centos
  IdentityFile /home/path/to/target_rsa
  Port 22
  ProxyCommand ssh -q W %h:%p jump

该命令ssh jump工作正常,可以到达跳转服务器,但ssh target失败如下所示:

$ ssh target -v
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/peter/.ssh/config
debug1: /home/peter/.ssh/config line 16: Applying options for target
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -q W 10.0.0.214:22 jump
debug1: identity file /home/path/to/target_rsa type -1
debug1: identity file /home/path/to/target_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
kex_exchange_identification: Connection closed by remote host

我想我在这里遗漏了一些明显的东西,但看不到什么。

更新...

尝试 3 - 通过 -J

尝试了 -J 选项,这更有帮助,并且其中有一些有趣的错误。但还是不行。

$ ssh -J jump target -v
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/peter/.ssh/config
debug1: /home/peter/.ssh/config line 16: Applying options for target
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' jump
debug1: Executing proxy command: exec ssh -v -W '[10.0.0.214]:22' jump
debug1: identity file /home/path/to/target_rsa type -1
debug1: identity file /home/path/to/target_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/peter/.ssh/config
debug1: /home/peter/.ssh/config line 10: Applying options for jump
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 18.134.xx.xx [18.134.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/path/to/jump_rsa type -1
debug1: identity file /home/path/to/jump_rsa_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 18.134.xx.xx:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:302ZU2HdNyCd7uk+oGiKxoXKe+7eIYRIFNEFzAt9UJU
debug1: Host '18.134.xx.xx' is known and matches the ECDSA host key.
debug1: Found key in /home/peter/.ssh/known_hosts:31
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/path/to/jump_rsa  explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)


debug1: Next authentication method: publickey
debug1: Trying private key: /home/peter/path/to/jump_rsa
debug1: Authentication succeeded (publickey).
Authenticated to 18.134.xx.xx ([18.134.xx.xx]:22).
debug1: channel_connect_stdio_fwd 10.0.0.214:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
channel 0: open failed: connect failed: No route to host
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

# .ssh/config
Host jump
  Hostname 18.134.xx.xx
  User ec2-user
  Port 22
  IdentityFile /home/path/to/jump_rsa
  
Host target
  Hostname 10.0.0.214
  User centos
  IdentityFile /home/path/to/target_rsa
  Port 22
ssh

2 个回答

  1. OpenSSHssh有专门的-J开关或ProxyJump选项。

    来自man ssh

    -J 目的地

    连接到目标主机,方法是首先与目标描述的跳转主机建立ssh连接,然后从那里建立到最终目标的 TCP 转发。可以指定多个跳转跃点,用逗号分隔。这是指定ProxyJump配置指令的快捷方式。请注意,命令行上提供的配置指令通常适用于目标主机,而不适用于任何指定的跳转主机。使用~/.ssh/config来指定跳转主机的配置。

    • 0
  2. Best Answer

    解决方案是 Ginnungagap 建议使用 -J 选项。但我看到的问题(至少在尝试 3 中)是由于目标服务器上的权限太松。一旦我设置了它们(通过还安装公钥的 user_data 引导脚本),一切正常。

    完整解决方案:

    1. 确保任何 centos 节点都具有以下权限集(对其他版本的 linux 也无害)
    chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
    1. 在本地机器上配置~/.ssh.config文件,如下图:
    # Speed up ssh by disabling this, as N/A for AWS
Host *
  GSSAPIAuthentication no
  
Host jump
  Hostname 35.178.207.12
  # Amazon Linux = ec2-user, Ubuntu = ubuntu, CentOS = centos
  User ec2-user
  Port 22
  IdentityFile /path/to/bastion_rsa
  
Host target
  Hostname 10.0.0.145
  # Amazon Linux = ec2-user, Ubuntu = ubuntu, CentOS = centos
  User centos
  IdentityFile /path/to/target_rsa
  Port 22
    1. 使用以下命令连接到目标服务器:ssh -J jump target

    避免在跳转服务器上安装任何私钥。

    • 0

相关问题