通过多个主机和不同用户设置ssh隧道

1

我有以下ssh连接:

    user1@local --> root@machine1 --> root@machine2 --> abc@machine3

我需要能够从本地直接连接到machine3:

    [user1@local]$ ssh abc@machine3

此时我很好,如果我需要输入密码,虽然理想情况下我想使用ssh密钥而没有密码连接。

我可以用sudo连接到machine1和machine2,但连接到machine3失败:

[user1@local]$ sudo ssh abc@machine3
root@machine1.com's password:
root@machine2.com's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

我的/root/.ssh/config文件包含以下内容:

    Host machine1
        HostName machine1.com
        User root
        IdentitiesOnly yes

    Host machine2
        HostName machine2.com
        User root
        ProxyCommand ssh -W %h:%p machine1
        IdentitiesOnly yes

    Host machine3
        HostName machine3.com
        User abc
        ProxyCommand ssh -W %h:%p machine2
        IdentitiesOnly yes

我在本地机器上使用OpenSSH_5.3p1,因此无法使用ProxyJump。机器1,2和3上也没有netcat支持。

当我手动ssh时,我只能从机器2 ssh到machine3作为abc用户,然后不需要密码(machine3上的authorized_keys包含来自machine2的公钥)。如同任何其他用户一样从machine2手动连接到machine3会导致上述相同的Permission denied错误。

知道如何从本地机器实现所需的ssh连接吗?这可行吗?一旦设置了隧道,我将需要在machine3上创建一些文件并在那里重新启动服务 - 所有这些都来自脚本。

编辑

我试着使用详细的ssh并得到了这个:

    [user1@local]$ sudo ssh -v abc@machine3
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /root/.ssh/config
    debug1: Applying options for machine3
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Executing proxy command: exec ssh -W machine3.com:22 machine2
    debug1: permanently_drop_suid: 0
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/identity type -1
    debug1: identity file /root/.ssh/identity-cert type -1
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    root@machine1.com's password:
    root@machine2.com's password:
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'machine3.com' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:4
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
    debug1: Next authentication method: publickey
    debug1: Trying private key: /root/.ssh/identity
    debug1: Trying private key: /root/.ssh/id_rsa
    debug1: Trying private key: /root/.ssh/id_dsa
    debug1: Trying private key: /root/.ssh/id_ecdsa
    debug1: No more authentication methods to try.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

machine3上.ssh目录中唯一存在的文件是authorized_keys。

linux  ssh  ssh-tunnel 
利迪娅
source

Answers:

1

您可以从machine2 ssh到machine3的事实意味着machine2上有一个私钥可以根据machine3对您进行身份验证。

您可以将此私钥复制到本地计算机上,并在以下位置指定其路径~/.ssh/config

Host machine3  
  IdentityFile /path/to/the/key
大卫戴
source
0

在研究了另一个相关问题的现有答案之后我做了以下事情,其中​​一些/全部解决了我的问题:

  1. 将机器1和机器2中的私钥和公钥复制到本地,名称不同:/root/.ssh/id_rsa_machine1,/root/.ssh/id_rsa_machine1.pub和/root/.ssh/id_rsa_machine2,/root/.ssh/id_rsa_machine2。酒馆。
  2. 在本地系统上生成ssh密钥。
  3. 从本地系统向machine3上的authorized_keys添加了公钥。
  4. 从local1到machine1添加了公钥。
  5. 从machine1到machine2添加了公钥(machine3已经在authorized_keys中从machine2获得了公钥)。

  6. 修改了本地的/root/.ssh/config文件,如下所示:

    Host machine1
    HostName machine1.com
    User root
    IdentityFile /root/.ssh/id_rsa_machine1
    Port 22
    IdentitiesOnly yes

Host machine2
    HostName machine2.com
    User root
    IdentityFile /root/.ssh/id_rsa_machine2
    Port 22
    ProxyCommand ssh -W %h:%p machine1
    IdentitiesOnly yes
    ForwardAgent yes


Host machine3
    HostName machine3.com
    User abc
    ProxyCommand ssh -W %h:%p machine2
    IdentitiesOnly yes
    ForwardAgent yes

引用的标识文件需要存在于本地计算机上。我现在可以直接用sudo从本地到机器3 ssh,没有密码提示!:-)

对于本地的user1进行了额外的更改,将ssh作为user1直接发送到machine3而没有密码提示:

  1. 将machine1和machine2中的私钥和公钥复制到本地机器上的user1 .ssh目录,名称如下:〜/ .ssh / id_rsa_machine1,〜/ .ssh / id_rsa_machine1.pub和〜/ .ssh / id_rsa_machine2,〜/ .ssh /id_rsa_machine2.pub。
  2. 在本地系统上将user1的公钥添加到machine3上的authorized_keys。

在user1~ / .ssh / config文件中添加了以下内容:

    Host machine1
        HostName machine1.com
        User root
        IdentityFile ~/.ssh/id_rsa_machine1
        Port 22
        IdentitiesOnly yes

    Host machine2
        HostName machine2.com
        User root
        IdentityFile ~/.ssh/id_rsa_machine2
        Port 22
        ProxyCommand ssh -W %h:%p machine1
        IdentitiesOnly yes
        ForwardAgent yes


    Host machine3
        HostName machine3.com
        User abc
        ProxyCommand ssh -W %h:%p machine2
        IdentitiesOnly yes
        ForwardAgent yes
利迪娅
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.