我正在嘗試透過網關連接到 EC2 執行個體。
如果我連接到網關
local> ssh gateway
然後我就可以無需密碼連接到EC2
gateway> ssh ec2 # works
但是,嘗試透過代理連接似乎需要身份文件。
Host gateway
HostName <gateway>
Host ec2
HostName ec2-<ec2>.compute.amazonaws.com
ProxyCommand ssh gateway -W %h:%p
local> ssh ec2
Permission denied (publickey).
我認為 ProxyCommand 基本上是將我登入網關,然後登入最終目的地。如果是這樣,當網關設定為不需要公鑰時,為什麼它會要求我提供公鑰?如何以與 ssh 進入網關然後 ssh 進入 ec2 相同的方式連接到 ec2 實例?
編輯:rsync 正常工作(不要求金鑰檔案)
rsync -pthrvz --rsync-path=/usr/bin/rsync --rsh='ssh gateway ssh' . ec2:/path
ssh -v 輸出gateway> ssh ec2
gateway> ssh -v ec2
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ec2 port 22.
debug1: Connection established.
debug1: identity file <snip> type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ec2' is known and matches the RSA host key.
debug1: Found key in ~/.ssh/known_hosts:63
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ~/.ssh/identity
debug1: Offering public key: ~/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
嘗試透過代理連接的 ssh -v 輸出
local$ ssh -v ec2
OpenSSH_6.7p1 Ubuntu-5ubuntu1.3, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /home/matt/.ssh/config
debug1: /home/matt/.ssh/config line 9: Applying options for ec2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/matt/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec ssh gateway -W ec2:22
debug1: permanently_drop_suid: 1000
debug1: identity file /home/matt/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/matt/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 73:<snip>:0c
debug1: Host 'ec2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/matt/.ssh/known_hosts:11
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/matt/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matt/.ssh/id_dsa
debug1: Trying private key: /home/matt/.ssh/id_ecdsa
debug1: Trying private key: /home/matt/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
問題似乎是它試圖在我的機器上找到密鑰,而不是從網關機器上獲取密鑰。
答案1
ProxyCommand 並不像您想像的那樣運作。指定的命令未在網關計算機上執行。相反,它在連接機器上運行。
因此執行流程為:
ProxyCommand「ssh gateway -W %h:%p」在「本機」電腦上執行。這將使用本機上的 RSA 身分建立與網關的 SSH 會話。 -W 標誌指定 stdin 和 stdout 將連線到最終目的地閘道上的 TCP 會話來源。
建立代理會話後,本機上的 ssh 再次使用該會話對遠端 SSH 伺服器進行身份驗證,同樣使用本機憑證。
這有點令人困惑,但可以將 ProxyCommand 視為簡單地在本機 SSH 用戶端和最終目的地 SSH 伺服器之間設定一個「管道」。然後,本地 SSH 用戶端使用該啞管道與最終目標的 SSH 服務進行通訊。
關鍵是有因此二在本機上執行的 SSH 實例,其中之一是 ProxyCommand,另一個是您要建立的實際 SSH 連線!您應該能夠透過查看本機上「ps aux」的輸出來驗證這一點。
這就解釋了為什麼它嘗試使用本地盒子上的密鑰材料,而不是網關上的密鑰材料來進行身份驗證。 :-)
rsync 起作用的原因是,您實際上正在執行“ssh gateway ssh”作為 --rsh 命令,該命令實際上在本地機器上運行 ssh 一次以連接到網關,然後在遠端機器上再次運行一次,這將然後使用遠端密鑰材料。
希望這可以幫助。