aef*_*aef 5 networking linux ssh proxy
由于OpenSSH的5.4有一个叫natcat模式的新功能,它允许你绑定STDIN和STDOUT本地SSH客户端通过远程SSH服务器访问的TCP端口。只需调用即可启用此模式ssh -W [HOST]:[PORT]
从理论上讲,这应该非常适合用于ProxyCommand每主机 SSH 配置中的设置,以前经常与nc(netcat) 命令一起使用。ProxyCommand允许您将机器配置为本地机器和目标 SSH 服务器之间的代理,例如,如果目标 SSH 服务器隐藏在防火墙后面。
现在的问题是,它没有工作,而是在我面前抛出一条神秘的错误消息:
Bad packet length 1397966893.
Disconnecting: Packet corrupt
这是我的摘录~/.ssh/config:
Host *
Protocol 2
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist 4h
Host proxy-host proxy-host.my-domain.tld
HostName proxy-host.my-domain.tld
ForwardAgent yes
Host target-server target-server.my-domain.tld
HostName target-server.my-domain.tld
ProxyCommand ssh -W %h:%p proxy-host
ForwardAgent yes
正如您在此处看到的,我正在使用 ControlMaster 功能,因此我不必为每台主机打开一个以上的 SSH 连接。
我测试的客户端机器是 Ubuntu 11.10 (x86_64),代理主机和目标服务器都是 Debian Wheezy Beta 3 (x86_64) 机器。
当我调用ssh target-server. 当我用-vvv标志调用它时,这是我另外得到的:
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /home/aef/.ssh/config
debug1: Applying options for *
debug1: Applying options for target-server.my-domain.tld
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Applying options for target-server.my-domain.tld
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/aef/.ssh/cm_socket/aef@192.0.2.195:22" does not exist
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec ssh -W 192.0.2.195:22 gateway-host.my-domain.tld
debug1: identity file /home/aef/.ssh/id_rsa type -1
debug1: identity file /home/aef/.ssh/id_rsa-cert type -1
debug1: identity file /home/aef/.ssh/id_dsa type -1
debug1: identity file /home/aef/.ssh/id_dsa-cert type -1
debug1: identity file /home/aef/.ssh/id_ecdsa type -1
debug1: identity file /home/aef/.ssh/id_ecdsa-cert type -1
debug1: permanently_drop_suid: 1000
Host key fingerprint is 1a:2b:3c:4d:5e:6f:7a:8b:9c:ad:be:cf:de:ed:fe:ef
+--[ECDSA 521]---+
| |
| |
| |
| |
| |
| |
| |
| |
| |
+-----------------+
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3
debug1: match: OpenSSH_6.0p1 Debian-3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "192.0.2.195" from file "/home/aef/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "192.0.2.195" from file "/etc/ssh/ssh_known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /etc/ssh/ssh_known_hosts:49
debug3: load_hostkeys: found key type RSA in file /etc/ssh/ssh_known_hosts:50
debug3: load_hostkeys: loaded 2 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
Bad packet length 1397966893.
Disconnecting: Packet corrupt
更新:现在-vvv而不是只有-v输出。
我终于知道这是怎么回事了。这似乎是OpenSSH中的一个错误,当ControlMaster是对两者的proxy-host和target-server。但是,至少有以下两种解决方法:
确保已经有一个运行连接到proxy-host想连接到前target-server。这将使错误消失,一切都按预期进行。您可以通过手动连接到proxy-host.
禁用ControlMaster之ProxyCommand类的ProxyCommand ssh -o "ControlMaster no" -W %h:%p proxy-host。这也将解决这个问题,但它会proxy-host为每个使用完全相同的连接创建一个新连接ProxyCommand。