Ssh
SSH config ProxyCommand 請求公鑰
我正在嘗試通過網關連接到 EC2 實例。
如果我連接到網關
local> ssh gateway
然後我可以在沒有密碼的情況下連接到 EC2
gateway> ssh ec2 # works
但是,嘗試通過代理連接似乎需要身份文件。
Host gateway HostName <gateway> Host ec2 HostName ec2-<ec2>.compute.amazonaws.com ProxyCommand ssh gateway -W %h:%p local> ssh ec2 Permission denied (publickey).
我認為 ProxyCommand 基本上是將我登錄到網關,然後登錄到最終目的地。如果是這樣,當網關設置為不需要公鑰時,為什麼它會要求我提供公鑰?如何以與 ssh 連接到網關然後 ssh 連接到 ec2 相同的方式連接到 ec2 實例?
編輯: rsync 正常工作(不要求密鑰文件)
rsync -pthrvz --rsync-path=/usr/bin/rsync --rsh='ssh gateway ssh' . ec2:/path
ssh -v 輸出
gateway> ssh ec2
gateway> ssh -v ec2 OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ec2 port 22. debug1: Connection established. debug1: identity file <snip> type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'ec2' is known and matches the RSA host key. debug1: Found key in ~/.ssh/known_hosts:63 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: ~/.ssh/identity debug1: Offering public key: ~/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment.
ssh -v 嘗試通過代理連接的輸出
local$ ssh -v ec2 OpenSSH_6.7p1 Ubuntu-5ubuntu1.3, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /home/matt/.ssh/config debug1: /home/matt/.ssh/config line 9: Applying options for ec2 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Hostname has changed; re-reading configuration debug1: Reading configuration data /home/matt/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Executing proxy command: exec ssh gateway -W ec2:22 debug1: permanently_drop_suid: 1000 debug1: identity file /home/matt/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/matt/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/matt/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/matt/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/matt/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/matt/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/matt/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/matt/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 73:<snip>:0c debug1: Host 'ec2.compute.amazonaws.com' is known and matches the ECDSA host key. debug1: Found key in /home/matt/.ssh/known_hosts:11 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/matt/.ssh/id_rsa debug1: Authentications that can continue: publickey debug1: Trying private key: /home/matt/.ssh/id_dsa debug1: Trying private key: /home/matt/.ssh/id_ecdsa debug1: Trying private key: /home/matt/.ssh/id_ed25519 debug1: No more authentication methods to try. Permission denied (publickey).
問題似乎是它試圖在我的機器上找到密鑰,而不是從網關機器上獲取它。
ProxyCommand 不像你想像的那樣工作。指定的命令不在網關機器上執行。相反,它在連接的機器上執行。
因此,執行流程是:
- ProxyCommand“ssh gateway -W %h:%p”在“本地”機器上執行。這將使用本地機器上的 RSA 身份建立到網關的 SSH 會話。-W 標誌指定 stdin 和 stdout 將連接到網關上的 TCP 會話發起到您的最終目的地。
- 建立代理會話後,本地機器上的 ssh 再次使用該會話向遠端 SSH 伺服器進行身份驗證,再次使用本地憑據。
這有點令人困惑,但可以將 ProxyCommand 視為在本地 SSH 客戶端和作為最終目的地的 SSH 伺服器之間簡單地設置“管道”。然後,您的本地 SSH 客戶端使用該啞管道與最終目的地的 SSH 服務通信。
關鍵是因此在您的本地機器上執行了兩個SSH 實例,其中一個是 ProxyCommand,另一個是您要建立的實際 SSH 連接!您應該能夠通過查看本地機器上“ps aux”的輸出來驗證這一點。
這將解釋為什麼它試圖在您的本地盒子上使用密鑰材料,而不是在您的網關上進行身份驗證。:-)
rsync 起作用的原因是,您實際上是在執行“ssh gateway ssh”作為您的 –rsh 命令,它實際上在本地機器上執行 ssh 一次以連接到網關,然後在遠端機器上再次執行,這將然後使用遙控鑰匙材料。
希望這可以幫助。