Turn, Original: https://segmentfault.com/a/1190000020326898?utm_source=tag-newest
----------------------------------------------------
In the management of external network server, for security and other factors, we generally do not put all ssh servers are set to be directly connected, but would pick out a machine as a springboard machine, when we want to connect to external networks when the server, we must first log on to the stepping stones through ssh, then log in from stepping stones to the target server.
Here we use experiments to show how the login process springboard machine.
In this experiment, we used a machine 192.168.57.3 to represent the target server, the server can not ssh directly connected, only connect via stepping stones, representing the springboard machine to machine 192.168.56.5, the springboard machine can ssh directly connected.
In order to facilitate measurement test, we put our own public key ssh on a computer and copied to the target server machine springboard .ssh / authorized_keys file, so that we can log in without a password.
Here is the testing process:
- ssh login stepping stones.
$ ssh u3@192.168.56.5
Last login: Sun Sep 8 19:51:48 2019 from 192.168.56.1 u3@h3:~$- Login from stepping stones to the target server.
u3@h3:~$ ssh -o "PasswordAuthentication no" u2@192.168.57.3 u2@192.168.57.3: Permission denied (publickey,password).-O parameter of the command "PasswordAuthentication no" means no password logon.
Because we have put the public ssh key on the computer we copied to the target machine's .ssh / authorized_keys file, and in theory, should be able to log in successfully, but the above command, but displays a login failure, where wrong?
Actually very simple, ssh the key login to public key and private key pairs exist, although public key has been copied to the target machine, but at this time we are on the stepping stones, and on stepping stones and no private key of our own machines.
Then we copy the private key to stepping stones can not?
No, because the private key springboard copied to the machine once, and that other machine can log on to springboard people can get our private key, and this is very unsafe.
then what should we do?
In fact, this problem can be solved by agent forwarding ssh, we look at the specific operation, and then explain how it works.
Let's go back to your own machine, then perform the following process:
- Open ssh-agent, and then add our private key to the ssh-agent.
$ eval $(ssh-agent)
Agent pid 8350
$ ssh-add
Identity added: /home/yt/.ssh/id_rsa (yt@arch) Identity added: /home/yt/.ssh/id_ed25519 (yt@arch)- ssh to log into stepping stones (but this added -A parameter will indicate on agent forwarding).
$ ssh -A u[email protected].5
Last login: Sun Sep 8 21:13:01 2019 from 192.168.56.1 u3@h3:~$- Login from stepping stones to the target machine.
u3@h3:~$ ssh u2@192.168.57.3 Last login: Sun Sep 8 20:45:03 2019 from 192.168.57.4 u2@h2:~$As seen above, the login target machine from a springboard machine is successful, the reason is that we have opened agent forwarding, but it is how we help to log the target machine from the stepping stones of it?
When we ssh login to the target machine on the springboard machine, the target machine will require stepping stones with the corresponding ssh the private key to do certification, but stepping stones is not the key, and the key stored on our own computers, but also because we when your computer is turned on ssh login stepping stones from the agent forwarding, so the opportunity to springboard forwards the authentication request to our own computers, we own computer when you receive this certification request, will find ssh-agent authentication process, but since the beginning, we passed ssh-add command will be added to our private key in the ssh-agent, so that the authentication is successful, our sub-machine authentication result to springboard machine, then the machine springboard result under transferred to the target machine, so there is no private key in ssh our springboard machine, the login target machine or success.
This is the login process springboard machine, but this is just a basic way, in fact, there's an easier way, we look experimentally.
Or the first back to our own machines, and then execute the following command:
$ ssh -J u3@192.168.56.5 u2@192.168.57.3 Last login: Sun Sep 8 21:09:13 2019 from 192.168.57.4 u2@h2:~$Oh, actually use a command directly successful, simply do not go through the process from stepping stones to the target machine.
-J parameters of the command is used to specify the stepping stones, after the command is executed, ssh will help us be logged springboard machine, and then log on the target machine, everything is automatic.
Specifies the stepping stones there is a benefit with the -J parameter is more convenient when using scp to copy files.
If an ordinary way, we must first copy files to the springboard machine, then copy from the stepping stones to the target machine, very troublesome, if you use -J parameters, we use a single command to get.
$ scp -J u3@192.168.56.5 abc.txt u2@192.168.57.3:/home/u2/ abc.txt perfect!
Knowledge about ssh springboard machine will stop this right, we want to help.
Finish.
More original articles, please pay attention to my micro-channel public number: