我设置了一个反向 SSH 隧道来访问node1NAT 后面的节点。我已经设置了一个 EC2 实例,myEC2作为中介。从我的laptop,当我想访问时node1,我必须通过 SSH 连接到 EC2 才能通过 SSH 连接到节点。
工作流程是这样的:
- 在
node1中,确保运行:ssh -i key.pem -R 3000:localhost:22 ubuntu@myEC2。这始终在服务中运行。 - 从我
laptop的 SSH 到 EC2:ssh ubuntu@myEC2 - 一旦进入 EC2:
ssh xavier@localhost -p 3000 - 我进去了
node1!
我正在寻找的是一种在 SSH 配置中表达该工作流程的方式,我可以使用它直接node1从我的laptop. 这将帮助我node1通过 Visual Studio Code 的远程 SSH 扩展进行访问。
我试过这样的事情:
Host node1
Hostname myEC2
User ubuntu
Port 3000
IdentityFile key.pem
但这不起作用,我认为这是因为Port应该22而不是3000. 我只是真的不知道如何表达工作流程。我已经调查过了ProxyJump,但我不确定这是否是我正在寻找的东西,老实说我也没有成功。
欢迎任何建议!=D
编辑 #1:在遵循 Stéphane 的建议后,我最终得到了一个 ssh_config 文件,如下所示:
Host myEC2
Hostname <myEC2_IP>
User ubuntu
Port 22
IdentityFile ec2_key.pem
Host node1
Hostname localhost
User xavier
Port 3000
IdentityFile /path/to/node1-id_rsa
ProxyJump ubuntu@myEC2
虽然我可以毫无问题地通过 SSH 进入myEC2,但我无法进入node1. 我的理解是,这应该等同于ssh -p 3000 -J ubuntu@myEC2 xavier@localhost. 任何帮助是极大的赞赏!这就是我通过将-v标志添加到 SSH 得到的。
xaviermerino@Xaviers-MBP .ssh % ssh doc
debug1: Executing proxy command: exec ssh -l ubuntu -W '[localhost]:3000' myEC2
debug1: identity file node1-id_rsa type -1
debug1: identity file node1-id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Connecting to myEC2 [myEC2_IP_ADDRESS] port 22.
debug1: Connection established.
debug1: identity file ec2_key.pem type -1
debug1: identity file ec2_key.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to myEC2_IP_ADDRESS:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:/U4HE+zUBFNZJgxDM6lWDW7FX8GSHXWYc/fMEyOvMlw
debug1: Host 'myEC2_IP_ADDRESS' is known and matches the ECDSA host key.
debug1: Found key in /Users/xaviermerino/.ssh/known_hosts:226
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: ec2_key.pem explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ec2_key.pem
debug1: Authentication succeeded (publickey).
Authenticated to myEC2 ([IP_Address_Goes_Here]:22).
debug1: channel_connect_stdio_fwd localhost:3000
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Remote: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
channel 0: open failed: connect failed: Connection refused
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
我不确定这意味着什么它与sshd_configEC2 中的设置有关吗?这就是我在那里的:
#AllowAgentForwarding yes
#AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
编辑#2:有人关掉了电脑。现在可以了!总结一下,供任何正在研究此问题的人使用。为了解决这个问题,我需要:
Host myEC2
Hostname <myEC2_IP>
User ubuntu
Port 22
IdentityFile ec2_key.pem
Host node1
Hostname localhost
User xavier
Port 3000
IdentityFile /path/to/node1-id_rsa
ProxyJump ubuntu@myEC2
就是这样!谢谢@StephaneChazelas
您实际上是
myEC2用作跳转主机。node1您可以通过以下方式从笔记本电脑ssh :相应的
ssh_config条目如下所示:请注意,
IdentityFile有一个用于验证node1. 要为 指定一个myEC2,您需要为 使用另一个Host条目myEC2。