为什么我无法连接到 ssh 反向隧道?
why can i not connect to ssh reverse tunnel?
我正在使用 autossh -M 20000 -fN -R 19999:localhost:22 -i mycert.pem ubuntu@myaws.hopto.org 建立到我的 aws 机器的反向隧道。现在,当我尝试从 aws 访问机器时,我得到以下信息:
$ ssh ron@localhost -P 19999
Permission denied (publickey).
为什么会这样?详细选项显示:
$ ssh ron@localhost -v -P 19999
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'ron'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kT8pM3YwDEYqE+CFzyWQDiSVCLhgMjPLWBJXYPl1BZs
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/ubuntu/.ssh/known_hosts:5
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ubuntu/.ssh/id_rsa
debug1: Trying private key: /home/ubuntu/.ssh/id_dsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ecdsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
这里发生了什么?为什么它不让我连接?
EDIT1
我发现当我使用 autossh -M 20000 -R 19999:localhost:22 -i mycert.pem 时,我实际上可以很好地建立连接,但目标机器将保持登录状态,这不是我想要的!为什么 -fN 会导致它不起作用?
我也为此苦苦挣扎了一段时间。我的回答可能是非常基本的,并且是一个典型的初学者错误,可能不是你的答案,但我会 post 在这里以防万一其他人遇到麻烦,这对他们有帮助:
您尝试从中反向 ssh 的机器的 public 密钥需要存在于本地机器上的 authorized_keys 文件中。
反向 SSH 连接到本地端口,这实际上是您自己的本地计算机,因此它将在您的本地计算机上寻找 authorized_keys 文件中不存在的 public 密钥。很容易与此混淆,因为您使用 "localhost" 作为地址,但想象一下您正在打开一个门户到某个随机端口的远程位置,然后充当该远程用户进行连接该位置到您创建的端口。当它连接到端口时,它仍然需要通过端口请求权限才能向下发送命令。由于它是您家的门户,因此它会在那里寻找钥匙。如果端口的另一端没有密钥,它将无法工作。
ELI5 风格:
你想让另一个世界给你送东西,但他们不能,因为你在一个秘密地点,所以你做了一个红色端口和一个蓝色端口到另一个世界。
你从红色端口跳过去,但是另一端的人不知道蓝色端口在哪里,所以你必须告诉他们蓝色端口在哪里。他们试图通过端口但无法进入,因为您尚未授权他们过来并且今天没有安全措施。
所以你让他们在那里做了一张钥匙卡然后你把它带回你自己的世界并告诉你自己的安全"this key card is good, let them in"。
现在你可以再回去,叫他们敲门。这次保安看到他们是朋友,就让他们进来了。
所以:
localuser@localmachine:~$ ssh -r <remote port>:localhost:localport remoteuser@remoteaddress
remoteuser@remoteaddress:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/$USER/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/$USER/.ssh/id_rsa.
Your public key has been saved in /home/$USER/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:sadfhjkljashdlkfjahw039ufrg094ut remoteuser@remotemachine
The key's randomart image is:
+---[RSA 2048]----+
|=+ +. ..+ o . |
|o ofake art. . |
|asdfghjk |
|+ . .o. . + . |
|.+R . fx s ++ o |
|B + .. . . |
|=+ +.. . . |
|..o .. 0. 0. |
| + o ++ ==o|
+----[SHA256]-----+
remoteuser@remoteaddress:~$ clip ./ssh/id_rsa.pub (or copy it however you can)
remoteuser@remoteaddress:~$ exit
localuser@localmachine:~$ nano/vi/whatever .ssh/authorized_keys (paste the public key there)
localuser@localmachine:~$ ssh -r <remote port>:localhost:localport remoteuser@remoteaddress
remoteuser@remoteaddress:~$ ssh localhost -p <remote port>
同样,这主要针对那些新使用反向 ssh 并且 运行 陷入 "public key" 错误的人。我希望我有所帮助!
我正在使用 autossh -M 20000 -fN -R 19999:localhost:22 -i mycert.pem ubuntu@myaws.hopto.org 建立到我的 aws 机器的反向隧道。现在,当我尝试从 aws 访问机器时,我得到以下信息:
$ ssh ron@localhost -P 19999
Permission denied (publickey).
为什么会这样?详细选项显示:
$ ssh ron@localhost -v -P 19999
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'ron'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kT8pM3YwDEYqE+CFzyWQDiSVCLhgMjPLWBJXYPl1BZs
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/ubuntu/.ssh/known_hosts:5
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ubuntu/.ssh/id_rsa
debug1: Trying private key: /home/ubuntu/.ssh/id_dsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ecdsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
这里发生了什么?为什么它不让我连接?
EDIT1
我发现当我使用 autossh -M 20000 -R 19999:localhost:22 -i mycert.pem 时,我实际上可以很好地建立连接,但目标机器将保持登录状态,这不是我想要的!为什么 -fN 会导致它不起作用?
我也为此苦苦挣扎了一段时间。我的回答可能是非常基本的,并且是一个典型的初学者错误,可能不是你的答案,但我会 post 在这里以防万一其他人遇到麻烦,这对他们有帮助:
您尝试从中反向 ssh 的机器的 public 密钥需要存在于本地机器上的 authorized_keys 文件中。
反向 SSH 连接到本地端口,这实际上是您自己的本地计算机,因此它将在您的本地计算机上寻找 authorized_keys 文件中不存在的 public 密钥。很容易与此混淆,因为您使用 "localhost" 作为地址,但想象一下您正在打开一个门户到某个随机端口的远程位置,然后充当该远程用户进行连接该位置到您创建的端口。当它连接到端口时,它仍然需要通过端口请求权限才能向下发送命令。由于它是您家的门户,因此它会在那里寻找钥匙。如果端口的另一端没有密钥,它将无法工作。
ELI5 风格:
你想让另一个世界给你送东西,但他们不能,因为你在一个秘密地点,所以你做了一个红色端口和一个蓝色端口到另一个世界。
你从红色端口跳过去,但是另一端的人不知道蓝色端口在哪里,所以你必须告诉他们蓝色端口在哪里。他们试图通过端口但无法进入,因为您尚未授权他们过来并且今天没有安全措施。
所以你让他们在那里做了一张钥匙卡然后你把它带回你自己的世界并告诉你自己的安全"this key card is good, let them in"。
现在你可以再回去,叫他们敲门。这次保安看到他们是朋友,就让他们进来了。
所以:
localuser@localmachine:~$ ssh -r <remote port>:localhost:localport remoteuser@remoteaddress
remoteuser@remoteaddress:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/$USER/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/$USER/.ssh/id_rsa.
Your public key has been saved in /home/$USER/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:sadfhjkljashdlkfjahw039ufrg094ut remoteuser@remotemachine
The key's randomart image is:
+---[RSA 2048]----+
|=+ +. ..+ o . |
|o ofake art. . |
|asdfghjk |
|+ . .o. . + . |
|.+R . fx s ++ o |
|B + .. . . |
|=+ +.. . . |
|..o .. 0. 0. |
| + o ++ ==o|
+----[SHA256]-----+
remoteuser@remoteaddress:~$ clip ./ssh/id_rsa.pub (or copy it however you can)
remoteuser@remoteaddress:~$ exit
localuser@localmachine:~$ nano/vi/whatever .ssh/authorized_keys (paste the public key there)
localuser@localmachine:~$ ssh -r <remote port>:localhost:localport remoteuser@remoteaddress
remoteuser@remoteaddress:~$ ssh localhost -p <remote port>
同样,这主要针对那些新使用反向 ssh 并且 运行 陷入 "public key" 错误的人。我希望我有所帮助!