SSH 클라이언트에서 프록시 전달을 설정했습니다.
Host *
ForwardAgent yes
User somebody
IdentityFile ~/.ssh/id_rsa
AddKeysToAgent yes
원격 시스템에 로그인하면 내 환경에 다음이 표시됩니다.
bastion1 $ env | grep SSH
SSH_CONNECTION=84.92.91.231 43330 10.10.0.207 22
SSH_AUTH_SOCK=/tmp/ssh-tXaJaakQAi/agent.9736
SSH_CLIENT=84.92.91.231 43330 22
SSH_TTY=/dev/pts/0
그러나 연결 공유도 사용하고 싶습니다.
Host *
ForwardAgent yes
User somebody
IdentityFile ~/.ssh/id_rsa
AddKeysToAgent yes
ControlPath ~/.ssh/S.%r@%h:%p
ControlMaster auto
ControlPersist yes
이로 인해 프록시 전달이 작동하지 않는 것 같습니다. 누락된 사항을 참고하세요 SSH_AUTH_SOCK.
bastion1 $ env | grep SSH
SSH_CONNECTION=84.92.91.231 42996 10.10.0.207 22
SSH_CLIENT=84.92.91.231 42996 22
SSH_TTY=/dev/pts/0
이 문제를 극복하는 것이 가능합니까?
편집 1
마스터 연결(슬레이브를 연결할 때 프롬프트 다음에 이 연결에서 일부 출력이 발생합니다. bastion1):
$ ssh -vv rgs-gameiom
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/jan/.ssh/config
debug1: /home/jan/.ssh/config line 46: Applying options for rgs-gameiom
debug1: /home/jan/.ssh/config line 61: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/jan/.ssh/[email protected]:22" does not exist
debug2: resolving "35.178.7.91" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 35.178.7.91 [35.178.7.91] port 22.
debug1: Connection established.
debug1: identity file /home/jan/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/jan/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u6
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u6 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 35.178.7.91:22 as 'jan'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:DXIktsHBhM8nmqno2LbFZyb7puxygfT8mQbpbGvjyTw
debug1: Host '35.178.7.91' is known and matches the ECDSA host key.
debug1: Found key in /home/jan/.ssh/known_hosts:6
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/jan/.ssh/id_rsa (0x561bdfac2e00), explicit, agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:GJMv7wpMeWFOdsaum+toBTWm5C3I+sSkdMrNiWrNszM /home/jan/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:GJMv7wpMeWFOdsaum+toBTWm5C3I+sSkdMrNiWrNszM
Authenticated with partial success.
debug1: Authentications that can continue: password
debug1: Next authentication method: password
[email protected]'s password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 35.178.7.91 ([35.178.7.91]:22).
debug1: setting up multiplex master socket
debug2: fd 5 setting O_NONBLOCK
debug1: channel 0: new [/home/jan/.ssh/[email protected]:22]
debug2: fd 3 setting TCP_NODELAY
debug1: control_persist_detach: backgrounding master process
debug2: control_persist_detach: background process is 21360
debug2: fd 5 setting O_NONBLOCK
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: id
debug1: multiplexing control connection
debug2: fd 6 setting O_NONBLOCK
debug1: channel 1: new [mux-control]
debug2: process_mux_master_hello: channel 1 slave version 4
debug2: mux_client_hello_exchange: master version 4
debug2: process_mux_alive_check: channel 1: alive check
debug2: process_mux_new_session: channel 1: request tty 1, X 0, agent 1, subsys 0, term "xterm-256color", cmd "", env 1
debug1: channel 2: new [client-session]
debug2: process_mux_new_session: channel_new: 2 linked to control channel 1
debug2: channel 2: send open
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug2: channel_input_open_confirmation: channel 2: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 2: request [email protected] confirm 0
debug2: client_session2_setup: id 2
debug2: channel 2: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
debug2: channel 2: request env confirm 0
debug2: channel 2: request shell confirm 1
debug2: channel_input_open_confirmation: channel 2: callback done
debug2: channel 2: open confirm rwindow 0 rmax 32768
debug1: mux_client_request_session: master session id: 2
debug2: channel_input_status_confirm: type 99 id 2
debug2: PTY allocation request accepted on channel 2
debug2: channel 2: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 2
debug2: shell request accepted on channel 2
Linux bastion1.gameiom-production.gamingrealms.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct 8 13:11:47 2019 from 80.229.227.116
bastion1 $ debug1: multiplexing control connection
debug2: fd 10 setting O_NONBLOCK
debug1: channel 3: new [mux-control]
debug2: process_mux_master_hello: channel 3 slave version 4
debug2: process_mux_alive_check: channel 3: alive check
debug2: process_mux_new_session: channel 3: request tty 1, X 0, agent 1, subsys 0, term "xterm-256color", cmd "", env 1
debug1: channel 4: new [client-session]
debug2: process_mux_new_session: channel_new: 4 linked to control channel 3
debug2: channel 4: send open
debug2: channel_input_open_confirmation: channel 4: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 4: request [email protected] confirm 0
debug2: client_session2_setup: id 4
debug2: channel 4: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
debug2: channel 4: request env confirm 0
debug2: channel 4: request shell confirm 1
debug2: channel_input_open_confirmation: channel 4: callback done
debug2: channel 4: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 4
debug2: PTY allocation request accepted on channel 4
debug2: channel 4: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 4
debug2: shell request accepted on channel 4
노예:
$ ssh -vv rgs-gameiom
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/jan/.ssh/config
debug1: /home/jan/.ssh/config line 46: Applying options for rgs-gameiom
debug1: /home/jan/.ssh/config line 61: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug1: mux_client_request_session: master session id: 4
Last login: Tue Oct 8 14:00:12 2019 from 80.229.227.116
답변1
프록시 전달은 연결 공유와 호환됩니다. 둘은 서로 상호 작용하며 프록시 전달은 기본 연결에서만 발생합니다. 마스터 연결이 이미 프록시 전달을 완료한 경우 프록시를 다시 전달할 필요가 없기 때문에 슬레이브 연결은 프록시 전달을 수행하지 않습니다. SSH_AUTH_SOCK동일한 기본 연결을 통해 이루어진 모든 연결에서 동일한 값을 얻습니다 .
여기서 일어난 일은 당시 프록시 전달을 비활성화했거나 SSH_AUTH_SOCK클라이언트에 설정되지 않은 컨텍스트에서 기본 연결을 시작했기 때문에 연결 공유를 켠 다음 프록시 전달 없이 기본 연결을 시작 했다는 것입니다. . 그런 다음 마스터 연결에 연결된 슬레이브 연결을 생성합니다.
기본 연결을 닫고 새 연결을 시작하여 브로커에 액세스할 수 있는 컨텍스트(예: SSH_AUTH_SOCK정의되지 않은 cron 작업이 아님)에서 실행 중인지 확인하세요.