OpenSSH connection via proxy
Command line for proxy
用很長的命令行來實(shí)現(xiàn)遂鹊,邏輯也在命令行中表達(dá)的很清晰掂器。
具體是:
ssh internal_vm -o ProxyCommand="xxxx"
例如:
$ ssh -i group_vars/iot_rsa redhat@10.0.1.4 -o ProxyCommand="ssh -q -W %h:%p -i group_vars/iot_rsa redhat@40.83.75.19"
Last login: Tue Aug 7 07:24:01 2018 from 10.0.0.4
[redhat@roy-hk-de-vm-hdp-2 ~]$
參數(shù)解釋,具體可以 man ssh_config / ssh
-i 出現(xiàn)兩次打洼,分別指定目標(biāo)機(jī)和proxy 連接時用到的private key
-o 指定 option,這個例子告訴它使用ProxyCommand
-q quite mode, 靜音模式
-W host:port 轉(zhuǎn)發(fā) Requests that standard input and output on the client be for-warded to host on port over the secure channel.
%h:%p Token remote host : remote port
另一種使用nc命令(netcat)實(shí)現(xiàn)
這能解決 https 代理的問題,有些機(jī)器默認(rèn)沒有安裝nc焦人,需要單獨(dú)安裝。
假設(shè)本地SSH代理的監(jiān)聽端口是3000重父,則ProxyCommand為
ProxyCommand nc -x 127.0.0.1:3000 %h %p
其中%h表示目標(biāo)地址花椭,%p是目標(biāo)端口。這句可以用在命令行里房午,例如
ssh -o ProxyCommand="nc -x 127.0.0.1:3000 %h %p" git@github.com
nc也可以用于HTTPS代理矿辽,這需要指定所使用的協(xié)議,即添加 -X connect 參數(shù)郭厌。比如ssh_config中的例子
ProxyCommand nc -X connect -x 192.168.1.1:8080 %h %p
System-wide OpenSSH config file
/etc/ssh/ssh_config :
This files set the default configuration for all users of OpenSSH clients on that desktop/laptop and it must be readable by all users on the system.
User-specific OpenSSH config file
這是常用方式袋倔,配置好文件,用很短命令行就可以登錄折柠。而且修改配置文件只要理解就行了宾娜,不需要大量的記憶。
~/.ssh/config or $HOME/.ssh/config :
This is user’s own configuration file which, overrides the settings in the global client configuration file, /etc/ssh/ssh_config.
$ cat ~/.ssh/config
Host hdp1
User redhat
IdentityFile /home/centos/tmp/706/group_vars/iot_rsa
ProxyCommand ssh -q -W %h:%p redhat@40.83.73.163
HostName roy-hk-deploy-vm-hdp-01
Another example:
Host roy1
User redhat
ProxyCommand ssh -i /Users/royzeng/repo/723/group_vars/iot_rsa -q -W %h:%p redhat@40.83.75.19
HostName roy-hk-de-vm-hdp-1
IdentityFile /Users/royzeng/repo/723/group_vars/iot_rsa
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
參數(shù)解釋:
Host roy1 ssh連接時使用的主機(jī)名簡稱
ProxyCommand 定義怎么連接proxy
IdentityFile 連接目標(biāo)機(jī)的 private key
User 連接目標(biāo)機(jī)的 用戶名
StrictHostKeyChecking no 不檢查HostKey 可以直接連接(不確認(rèn))
And then you can directly connect the server behind proxy now.
e.g.
$ ssh hdp1
$scp aaa.txt hdp1:/tmp/bbb.txt