Mat*_*ick 4 ssh proxy ssh-tunnel
我正在尝试通过网关连接到 EC2 实例。
如果我连接到网关
local> ssh gateway
然后我可以在没有密码的情况下连接到 EC2
gateway> ssh ec2 # works
但是,尝试通过代理连接似乎需要身份文件。
Host gateway
HostName <gateway>
Host ec2
HostName ec2-<ec2>.compute.amazonaws.com
ProxyCommand ssh gateway -W %h:%p
local> ssh ec2
Permission denied (publickey).
我认为 ProxyCommand 基本上是将我登录到网关,然后登录到最终目的地。如果是这样,当网关设置为不需要公钥时,为什么它会要求我提供公钥?如何以与 ssh 进入网关然后 ssh 进入 ec2 相同的方式连接到 ec2 实例?
编辑:rsync 正常工作(不要求提供密钥文件)
rsync -pthrvz --rsync-path=/usr/bin/rsync --rsh='ssh gateway ssh' . ec2:/path
ssh -v 输出 gateway> ssh ec2
gateway> ssh -v ec2
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ec2 port 22.
debug1: Connection established.
debug1: identity file <snip> type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ec2' is known and matches the RSA host key.
debug1: Found key in ~/.ssh/known_hosts:63
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ~/.ssh/identity
debug1: Offering public key: ~/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
ssh -v 尝试通过代理连接的输出
local$ ssh -v ec2
OpenSSH_6.7p1 Ubuntu-5ubuntu1.3, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /home/matt/.ssh/config
debug1: /home/matt/.ssh/config line 9: Applying options for ec2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/matt/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec ssh gateway -W ec2:22
debug1: permanently_drop_suid: 1000
debug1: identity file /home/matt/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 73:<snip>:0c
debug1: Host 'ec2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/matt/.ssh/known_hosts:11
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/matt/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matt/.ssh/id_dsa
debug1: Trying private key: /home/matt/.ssh/id_ecdsa
debug1: Trying private key: /home/matt/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
问题似乎是它试图在我的机器上找到密钥,而不是从网关机器上获取它。
Per*_*rgk 12
ProxyCommand 不会像您认为的那样工作。指定的命令不在网关机器上运行。相反,它在连接机器上运行。
因此,执行流程是:
ProxyCommand“ssh gateway -W %h:%p”在“本地”机器上执行。这将使用本地设备上的 RSA 身份建立到网关的 SSH 会话。-W 标志指定 stdin 和 stdout 将连接到通往最终目的地的网关上的 TCP 会话源。
建立代理会话后,本地机器上的 ssh 再次使用该会话向远程 SSH 服务器进行身份验证,再次使用本地凭据。
这有点令人困惑,但可以将 ProxyCommand 视为简单地在本地 SSH 客户端和作为最终目的地的 SSH 服务器之间设置“管道”。然后,您的本地 SSH 客户端使用该哑管道与最终目的地的 SSH 服务进行通信。
关键是因此有两个SSH 实例在您的本地机器上运行,其中一个是 ProxyCommand,另一个是您要建立的实际 SSH 连接!您应该能够通过查看本地机器上“ps aux”的输出来验证这一点。
这将解释为什么它试图在您的本地盒子上使用密钥材料,而不是在您的网关上进行身份验证。:-)
rsync 工作的原因是你实际上是在做“ssh gateway ssh”作为你的 --rsh 命令,它实际上在本地机器上运行一次 ssh 以连接到网关,然后在远程机器上再次运行,这将然后使用远程密钥材料。
希望这可以帮助。
| 归档时间: |
|
| 查看次数: |
3691 次 |
| 最近记录: |