ssh プロキシ コマンドが機能しない

ssh プロキシ コマンドが機能しない

このプロキシコマンドがあります

Host JUMPHOST 
User root 
ProxyCommand ssh -q 172.16.99.11 nc -q0 10.0.0.2 22

しかし、実行すると10.0.0.2にログインできません

federico@federico:~ $ ssh JUMPHOST -vvv
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /home/federico/.ssh/config
debug1: /home/federico/.ssh/config line 1414: Applying options for JUMPHOST
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec ssh -q 172.16.99.11 nc -q0 10.0.0.2 22
debug1: permanently_drop_suid: 1000
debug1: identity file /home/federico/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
ssh_exchange_identification: Connection closed by remote host

奇妙なことに、通常のsshを実行すると問題なくデバイスにログインできます。

federico@federico:~ $ ssh  [email protected]
Last login: Mon Oct 31 19:03:00 2016 from 172.16.0.3
OpenBSD 6.0 (GENERIC) #2148: Tue Jul 26 12:55:20 MDT 2016

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

# ssh [email protected]                                                                                                                                                                                             

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 31 18:53:57 2016 from uk.lnd.lab.bastion.jumphost
root@UKLNDLABJUMPHOST:~# exit

両方のサーバーに私の公開SSHキーがあります

federico@federico:~ $ cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB9TZ/O3Akzb78CY8ExihPJkW6oWsihL30VS1B1ZY6bMiytRnn4Exn58Y1NbxwjMzKae3Ybn1IdLusJFPriDza8w2280nWSWdGVG/7gMNKxMFn0GAGyg5ciN5PfDsBEALZyjM5l1KRCe8NibVypnt4sY6oFonOapzzcWiLAujw/xs++dGUXtCoRegHSZaH5KmSds8vLEdP/045O3ScFKWz2K2vwbQ1kL3gV5GQOR0TG5JLf08eYUDUaIH7JXggP6yLKi1c500mUm5E/yeXyZSjScC0d0th3IFCIuKumG7sg9DKLirxYUdJfd4P061v9Z/Hgdyiniqrgm7TGrPpVHFjDFV02XxGkPHsFWF6wzp433g7ELciz7TdkRXdSe+5Ab56tWisUCZvQusVc6bKQz2VedW5JgS9JTLRA/fGjszf8rqhtsGDnTS6Pqlazny6MXpKnwwr5sNDskfrQI9gmusHWLxW8QSfNDidYoNvhhvsk0sBDFVwe+JmLAqXhWZsBI6cEhC/RLfgt1WXtWagGTZ7U0zOztUTwmNg5ZzznqEnRMWeOsYBabj+5MNUK/cGMW0i1jHMqnoOHGfutrWkdNZE08xpx3hvrDJEZFpuccji1igKpneja7k+dFk7o8TFoKD5tFkqQtXlWwkarG7eKUKdYL2+EBCmbw== federico@federico
federico@federico:~ $ ssh [email protected]
Last login: Mon Oct 31 19:13:05 2016 from 172.16.0.3
OpenBSD 6.0 (GENERIC) #2148: Tue Jul 26 12:55:20 MDT 2016

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

# cat .ssh/authorized_keys                                                                                                                                                                                        
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC21HOxZtkDzXLyBTDlFxZF/c4iL29ZumnaKPhm3maDIdCfnBeq+Ik6r5C9Avwsk6ycc3EWfTqa0b3wvr5sDpqgfUTDi5uKvSV0MwXkin84bOJFm4uO9Gh26h4XrXKPHIotaLpt/6xmuTS1KvR3azKy2yoC8rlvRCF9xO+0Hf9ZEShAGRx+Jfk9EUZYu0TUPehuQk5LwpiXuk2VEGvnA8volx9glO4/65dR8PIkkR8lLNtBVgukuK5BcxF6/KxLL2pSKFEJIYzyL8HEHsgQxWcrSiqeTjSvWkSmfvYx6JqzxbDQ8NvI2aCZ2zIOeewQgcE9gx+dDb5G0vvq/Pz3GT4N root@UKLNDLABJUMPHOST
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB9TZ/O3Akzb78CY8ExihPJkW6oWsihL30VS1B1ZY6bMiytRnn4Exn58Y1NbxwjMzKae3Ybn1IdLusJFPriDza8w2280nWSWdGVG/7gMNKxMFn0GAGyg5ciN5PfDsBEALZyjM5l1KRCe8NibVypnt4sY6oFonOapzzcWiLAujw/xs++dGUXtCoRegHSZaH5KmSds8vLEdP/045O3ScFKWz2K2vwbQ1kL3gV5GQOR0TG5JLf08eYUDUaIH7JXggP6yLKi1c500mUm5E/yeXyZSjScC0d0th3IFCIuKumG7sg9DKLirxYUdJfd4P061v9Z/Hgdyiniqrgm7TGrPpVHFjDFV02XxGkPHsFWF6wzp433g7ELciz7TdkRXdSe+5Ab56tWisUCZvQusVc6bKQz2VedW5JgS9JTLRA/fGjszf8rqhtsGDnTS6Pqlazny6MXpKnwwr5sNDskfrQI9gmusHWLxW8QSfNDidYoNvhhvsk0sBDFVwe+JmLAqXhWZsBI6cEhC/RLfgt1WXtWagGTZ7U0zOztUTwmNg5ZzznqEnRMWeOsYBabj+5MNUK/cGMW0i1jHMqnoOHGfutrWkdNZE08xpx3hvrDJEZFpuccji1igKpneja7k+dFk7o8TFoKD5tFkqQtXlWwkarG7eKUKdYL2+EBCmbw== federico@federico
# ssh
ssh          ssh-add      ssh-agent    ssh-askpass  ssh-keygen   ssh-keyscan  sshd         
# ssh 10.0.0.2

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 31 19:12:54 2016 from uk.lnd.lab.bastion.jumphost
root@UKLNDLABJUMPHOST:~# cat .ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB9TZ/O3Akzb78CY8ExihPJkW6oWsihL30VS1B1ZY6bMiytRnn4Exn58Y1NbxwjMzKae3Ybn1IdLusJFPriDza8w2280nWSWdGVG/7gMNKxMFn0GAGyg5ciN5PfDsBEALZyjM5l1KRCe8NibVypnt4sY6oFonOapzzcWiLAujw/xs++dGUXtCoRegHSZaH5KmSds8vLEdP/045O3ScFKWz2K2vwbQ1kL3gV5GQOR0TG5JLf08eYUDUaIH7JXggP6yLKi1c500mUm5E/yeXyZSjScC0d0th3IFCIuKumG7sg9DKLirxYUdJfd4P061v9Z/Hgdyiniqrgm7TGrPpVHFjDFV02XxGkPHsFWF6wzp433g7ELciz7TdkRXdSe+5Ab56tWisUCZvQusVc6bKQz2VedW5JgS9JTLRA/fGjszf8rqhtsGDnTS6Pqlazny6MXpKnwwr5sNDskfrQI9gmusHWLxW8QSfNDidYoNvhhvsk0sBDFVwe+JmLAqXhWZsBI6cEhC/RLfgt1WXtWagGTZ7U0zOztUTwmNg5ZzznqEnRMWeOsYBabj+5MNUK/cGMW0i1jHMqnoOHGfutrWkdNZE08xpx3hvrDJEZFpuccji1igKpneja7k+dFk7o8TFoKD5tFkqQtXlWwkarG7eKUKdYL2+EBCmbw== federico@federico
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx0aXuxhIql7YpN7k7HseJGTedFdc2MMbiAJuYh3IYxiTzfHh0BbH8FbcS5t1op6lm3Mf0GaYPCm/JYVtnCKUc0YEIN37/t9KfCkTDtKEM6vW05aeCkHvGqHpI5IDLE7OOJvlsi6kQ+Nr7YY6mddKCZ4C58Bg6PoplCdEb7sKN6z38VvnJu/djUPybK0Eb9LsNZCuiYA6ddj6i3gTrkSJO4SsDUd2iAHYxU6ckFSr5P1wgYYABtUgzCcmtxt4epY4xjbbdI5yJxMyl7dHtQsY9J9EBvsYFNxtTw7FYUqXmqRLwnzi6YQ4YOCs1yAYCmMcLbI2BQF3Ym8zQGTsGZ6qX [email protected]
root@UKLNDLABJUMPHOST:~# 

問題はユーザーのようです。ProxyCommand と ssh コマンドでユーザー root を指定しているにもかかわらず、ユーザー federico がユーザー root ではなく ssh serve に渡されているようです。

Oct 31 21:37:11 UK sshd[81208]: Invalid user federico from 172.16.0.3 port 39964
Oct 31 21:37:11 UK sshd[81208]: input_userauth_request: invalid user federico [preauth]
Oct 31 21:37:11 UK sshd[81208]: Connection closed by 172.16.0.3 port 39964 [preauth]
Oct 31 21:37:22 UK sshd[1763]: Invalid user federico from 172.16.0.3 port 39966
Oct 31 21:37:22 UK sshd[1763]: input_userauth_request: invalid user federico [preauth]
Oct 31 21:37:22 UK sshd[1763]: Connection closed by 172.16.0.3 port 39966 [preauth]
Oct 31 21:39:29 UK sshd[14073]: Accepted publickey for root from 172.16.0.3 port 39992 ssh2: RSA SHA256:lKGdTJBP83LONM/MR2yGXJuViH5Z2ltUqiqVV9nStCA
Oct 31 21:39:31 UK sshd[14073]: Received disconnect from 172.16.0.3 port 39992:11: disconnected by user
Oct 31 21:39:31 UK sshd[14073]: Disconnected from 172.16.0.3 port 39992
Oct 31 21:40:25 UK sshd[56193]: Accepted publickey for root from 172.16.0.3 port 39994 ssh2: RSA SHA256:lKGdTJBP83LONM/MR2yGXJuViH5Z2ltUqiqVV9nS

答え1

ProxyCommand ssh -q [email protected] nc -q0 10.0.0.2 22

答え2

ProxyCommandを を含めるように次のように変更してみてください-A:

プロキシコマンド ssh -A -q 172.16.99.11 nc -q0 10.0.0.2 22

関連情報