Tengo este comando proxy
Host JUMPHOST
User root
ProxyCommand ssh -q 172.16.99.11 nc -q0 10.0.0.2 22
Cuando lo ejecuto, sin embargo, no puedo iniciar sesión en 10.0.0.2
federico@federico:~ $ ssh JUMPHOST -vvv
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /home/federico/.ssh/config
debug1: /home/federico/.ssh/config line 1414: Applying options for JUMPHOST
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec ssh -q 172.16.99.11 nc -q0 10.0.0.2 22
debug1: permanently_drop_suid: 1000
debug1: identity file /home/federico/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/federico/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
ssh_exchange_identification: Connection closed by remote host
Lo extraño es que puedo iniciar sesión en el dispositivo sin ningún problema si ejecuto ssh normal
federico@federico:~ $ ssh [email protected]
Last login: Mon Oct 31 19:03:00 2016 from 172.16.0.3
OpenBSD 6.0 (GENERIC) #2148: Tue Jul 26 12:55:20 MDT 2016
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
# ssh [email protected]
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 31 18:53:57 2016 from uk.lnd.lab.bastion.jumphost
root@UKLNDLABJUMPHOST:~# exit
Ambos servidores tienen mi clave ssh pública.
federico@federico:~ $ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB9TZ/O3Akzb78CY8ExihPJkW6oWsihL30VS1B1ZY6bMiytRnn4Exn58Y1NbxwjMzKae3Ybn1IdLusJFPriDza8w2280nWSWdGVG/7gMNKxMFn0GAGyg5ciN5PfDsBEALZyjM5l1KRCe8NibVypnt4sY6oFonOapzzcWiLAujw/xs++dGUXtCoRegHSZaH5KmSds8vLEdP/045O3ScFKWz2K2vwbQ1kL3gV5GQOR0TG5JLf08eYUDUaIH7JXggP6yLKi1c500mUm5E/yeXyZSjScC0d0th3IFCIuKumG7sg9DKLirxYUdJfd4P061v9Z/Hgdyiniqrgm7TGrPpVHFjDFV02XxGkPHsFWF6wzp433g7ELciz7TdkRXdSe+5Ab56tWisUCZvQusVc6bKQz2VedW5JgS9JTLRA/fGjszf8rqhtsGDnTS6Pqlazny6MXpKnwwr5sNDskfrQI9gmusHWLxW8QSfNDidYoNvhhvsk0sBDFVwe+JmLAqXhWZsBI6cEhC/RLfgt1WXtWagGTZ7U0zOztUTwmNg5ZzznqEnRMWeOsYBabj+5MNUK/cGMW0i1jHMqnoOHGfutrWkdNZE08xpx3hvrDJEZFpuccji1igKpneja7k+dFk7o8TFoKD5tFkqQtXlWwkarG7eKUKdYL2+EBCmbw== federico@federico
federico@federico:~ $ ssh [email protected]
Last login: Mon Oct 31 19:13:05 2016 from 172.16.0.3
OpenBSD 6.0 (GENERIC) #2148: Tue Jul 26 12:55:20 MDT 2016
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC21HOxZtkDzXLyBTDlFxZF/c4iL29ZumnaKPhm3maDIdCfnBeq+Ik6r5C9Avwsk6ycc3EWfTqa0b3wvr5sDpqgfUTDi5uKvSV0MwXkin84bOJFm4uO9Gh26h4XrXKPHIotaLpt/6xmuTS1KvR3azKy2yoC8rlvRCF9xO+0Hf9ZEShAGRx+Jfk9EUZYu0TUPehuQk5LwpiXuk2VEGvnA8volx9glO4/65dR8PIkkR8lLNtBVgukuK5BcxF6/KxLL2pSKFEJIYzyL8HEHsgQxWcrSiqeTjSvWkSmfvYx6JqzxbDQ8NvI2aCZ2zIOeewQgcE9gx+dDb5G0vvq/Pz3GT4N root@UKLNDLABJUMPHOST
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB9TZ/O3Akzb78CY8ExihPJkW6oWsihL30VS1B1ZY6bMiytRnn4Exn58Y1NbxwjMzKae3Ybn1IdLusJFPriDza8w2280nWSWdGVG/7gMNKxMFn0GAGyg5ciN5PfDsBEALZyjM5l1KRCe8NibVypnt4sY6oFonOapzzcWiLAujw/xs++dGUXtCoRegHSZaH5KmSds8vLEdP/045O3ScFKWz2K2vwbQ1kL3gV5GQOR0TG5JLf08eYUDUaIH7JXggP6yLKi1c500mUm5E/yeXyZSjScC0d0th3IFCIuKumG7sg9DKLirxYUdJfd4P061v9Z/Hgdyiniqrgm7TGrPpVHFjDFV02XxGkPHsFWF6wzp433g7ELciz7TdkRXdSe+5Ab56tWisUCZvQusVc6bKQz2VedW5JgS9JTLRA/fGjszf8rqhtsGDnTS6Pqlazny6MXpKnwwr5sNDskfrQI9gmusHWLxW8QSfNDidYoNvhhvsk0sBDFVwe+JmLAqXhWZsBI6cEhC/RLfgt1WXtWagGTZ7U0zOztUTwmNg5ZzznqEnRMWeOsYBabj+5MNUK/cGMW0i1jHMqnoOHGfutrWkdNZE08xpx3hvrDJEZFpuccji1igKpneja7k+dFk7o8TFoKD5tFkqQtXlWwkarG7eKUKdYL2+EBCmbw== federico@federico
# ssh
ssh ssh-add ssh-agent ssh-askpass ssh-keygen ssh-keyscan sshd
# ssh 10.0.0.2
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 31 19:12:54 2016 from uk.lnd.lab.bastion.jumphost
root@UKLNDLABJUMPHOST:~# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB9TZ/O3Akzb78CY8ExihPJkW6oWsihL30VS1B1ZY6bMiytRnn4Exn58Y1NbxwjMzKae3Ybn1IdLusJFPriDza8w2280nWSWdGVG/7gMNKxMFn0GAGyg5ciN5PfDsBEALZyjM5l1KRCe8NibVypnt4sY6oFonOapzzcWiLAujw/xs++dGUXtCoRegHSZaH5KmSds8vLEdP/045O3ScFKWz2K2vwbQ1kL3gV5GQOR0TG5JLf08eYUDUaIH7JXggP6yLKi1c500mUm5E/yeXyZSjScC0d0th3IFCIuKumG7sg9DKLirxYUdJfd4P061v9Z/Hgdyiniqrgm7TGrPpVHFjDFV02XxGkPHsFWF6wzp433g7ELciz7TdkRXdSe+5Ab56tWisUCZvQusVc6bKQz2VedW5JgS9JTLRA/fGjszf8rqhtsGDnTS6Pqlazny6MXpKnwwr5sNDskfrQI9gmusHWLxW8QSfNDidYoNvhhvsk0sBDFVwe+JmLAqXhWZsBI6cEhC/RLfgt1WXtWagGTZ7U0zOztUTwmNg5ZzznqEnRMWeOsYBabj+5MNUK/cGMW0i1jHMqnoOHGfutrWkdNZE08xpx3hvrDJEZFpuccji1igKpneja7k+dFk7o8TFoKD5tFkqQtXlWwkarG7eKUKdYL2+EBCmbw== federico@federico
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx0aXuxhIql7YpN7k7HseJGTedFdc2MMbiAJuYh3IYxiTzfHh0BbH8FbcS5t1op6lm3Mf0GaYPCm/JYVtnCKUc0YEIN37/t9KfCkTDtKEM6vW05aeCkHvGqHpI5IDLE7OOJvlsi6kQ+Nr7YY6mddKCZ4C58Bg6PoplCdEb7sKN6z38VvnJu/djUPybK0Eb9LsNZCuiYA6ddj6i3gTrkSJO4SsDUd2iAHYxU6ckFSr5P1wgYYABtUgzCcmtxt4epY4xjbbdI5yJxMyl7dHtQsY9J9EBvsYFNxtTw7FYUqXmqRLwnzi6YQ4YOCs1yAYCmMcLbI2BQF3Ym8zQGTsGZ6qX [email protected]
root@UKLNDLABJUMPHOST:~#
El problema parece ser el usuario. A pesar de que especifico el usuario raíz en ProxyCommand así como en el comando ssh, parece que el usuario federico se pasa al servicio ssh en lugar del usuario raíz.
Oct 31 21:37:11 UK sshd[81208]: Invalid user federico from 172.16.0.3 port 39964
Oct 31 21:37:11 UK sshd[81208]: input_userauth_request: invalid user federico [preauth]
Oct 31 21:37:11 UK sshd[81208]: Connection closed by 172.16.0.3 port 39964 [preauth]
Oct 31 21:37:22 UK sshd[1763]: Invalid user federico from 172.16.0.3 port 39966
Oct 31 21:37:22 UK sshd[1763]: input_userauth_request: invalid user federico [preauth]
Oct 31 21:37:22 UK sshd[1763]: Connection closed by 172.16.0.3 port 39966 [preauth]
Oct 31 21:39:29 UK sshd[14073]: Accepted publickey for root from 172.16.0.3 port 39992 ssh2: RSA SHA256:lKGdTJBP83LONM/MR2yGXJuViH5Z2ltUqiqVV9nStCA
Oct 31 21:39:31 UK sshd[14073]: Received disconnect from 172.16.0.3 port 39992:11: disconnected by user
Oct 31 21:39:31 UK sshd[14073]: Disconnected from 172.16.0.3 port 39992
Oct 31 21:40:25 UK sshd[56193]: Accepted publickey for root from 172.16.0.3 port 39994 ssh2: RSA SHA256:lKGdTJBP83LONM/MR2yGXJuViH5Z2ltUqiqVV9nS
Respuesta1
ProxyCommand ssh -q [email protected] nc -q0 10.0.0.2 22
Respuesta2
Intente cambiar su ProxyCommandpara incluirlo -A, así:
ProxyCommand ssh -A -q 172.16.99.11 nc -q0 10.0.0.2 22