分层ssh连接 – 第二个ssh命令在错误的目录中查找密钥

我login了一个名为Walnut的服务器,我尝试login到另一个名为Hazelnut的服务器。

local machine (mac) ---ssh---> Walnut ---ssh---> Hazelnut 

第一个SSH(从我的本地机器到核桃)进展良好。

第二个ssh命令,但是,我拒绝了权限。

这是什么日志说什么时,我做ssh -v -A Haezlnut

 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to Hazelnut [address] port [port]. debug1: Connection established. debug1: identity file /home/username/.ssh/id_rsa type -1 debug1: identity file /home/username/.ssh/id_rsa-cert type -1 debug1: identity file /home/username/.ssh/id_dsa type -1 debug1: identity file /home/username/.ssh/id_dsa-cert type -1 debug1: identity file /home/username/.ssh/id_ecdsa type -1 debug1: identity file /home/username/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u2 debug1: match: OpenSSH_6.7p1 Debian-5+deb8u2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: [Host key] debug1: Host 'Hazelnut' is known and matches the ECDSA host key. debug1: Found key in /home/username/.ssh/known_hosts:1 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/username/.ssh/id_rsa debug1: Trying private key: /home/username/.ssh/id_dsa debug1: Trying private key: /home/username/.ssh/id_ecdsa debug1: No more authentication methods to try. Permission denied (publickey). 

所以我认为日志清楚地表明它没有find最后的密钥文件。 令人困惑的是,由于私钥驻留在本地mac机器中,因此应该在/Users/username/.ssh/查找文件,而不是/home/username/.ssh/ 。 第一个ssh命令(从本地到核桃)做得很好,但第二个命令(从核桃到榛子)不知何故地弄乱了它。

更令人困惑的是,完全相同的过程在许多其他看起来完全相同的Mac机器上完美无缺。 如果您尝试使用任何其他mac机器从Walnut ssh进入榛子,它会尝试在正确的( /Users/username/.ssh )目录中查找密钥文件。

有没有人有过这个问题?

你需要或者让你的ssh代理可以在你的mac上使用这个命令: ssh -A walnut然后ssh到榛子。

做这种事情虽然被认为是不好的做法,因为它暴露你的代理远程机器。 如果攻击者在核桃上,他们可能会偷你的私钥。

或隧道榛子。 有很多方法可以做到这一点,但…

使用-J选项 – ProxyJump选项的快捷方式(openssh ver。7.3+必需):

 ssh -J <jumphost> <target> 

在跳转主机上使用netcat的ProxyCommand选项:

 ssh -o ProxyCommand="ssh %h nc <target> 22" <jumphost> 

或使用-W选项的ProxyCommand:

 ssh -o ProxyCommand="ssh -W %h:%p <jumphost>" <target> 

proxycommandProxyJumpconfiguration指令也可以放在sshconfiguration文件中,以达到相同的效果