为什么我不能连接到SSH反向隧道?

时间:2018-09-01 11:45:17

标签: authentication amazon-ec2 ssh-tunnel key-pair

我正在使用autossh -M 20000 -fN -R 19999:localhost:22 -i mycert.pem ubuntu@myaws.hopto.org建立到我的AWS机器的反向隧道。现在,当我尝试从aws访问计算机时,得到以下信息:

$ ssh ron@localhost -P 19999
Permission denied (publickey).

为什么会这样?详细选项显示:

$ ssh ron@localhost -v -P 19999
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'ron'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kT8pM3YwDEYqE+CFzyWQDiSVCLhgMjPLWBJXYPl1BZs
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/ubuntu/.ssh/known_hosts:5
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ubuntu/.ssh/id_rsa
debug1: Trying private key: /home/ubuntu/.ssh/id_dsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ecdsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).

这是怎么回事?为什么不让我连接?

EDIT1

我发现当我使用autossh -M 20000 -R 19999:localhost:22 -i mycert.pem时,我实际上可以建立一个连接,但是目标计算机仍会保持登录状态,这不是我想要的!为什么-fN导致此功能不起作用?

1 个答案:

答案 0 :(得分:1)

我也一直为此苦苦挣扎。我的答案可能很简单,是一个典型的初学者错误,可能不是您的答案,但是我会在这里发布此消息,以防其他人遇到麻烦并对他们有帮助。

您试图将ssh从转换为的计算机的公共密钥必须存在于本地计算机的authorized_keys文件中。

反向SSH连接到本地端口,实际上这是您自己的本地计算机,因此它将在您的本地计算机上查找不存在的public_authors_keys文件中的公共密钥。很容易对此感到困惑,因为您使用的是“ localhost”作为地址,但可以想象一下,您是在某个随机端口上将门户网站打开到远程位置,然后以该远程用户的身份从该位置进行连接到您的港口。当它连接到端口时,仍然需要通过端口请求许可才能向下发送命令。由于它是您家的门户,因此它将在那寻找钥匙。如果端口的另一端没有钥匙,它将无法正常工作。

ELI5风格:

您希望另一个世界向您发送东西,但他们不能这样做,因为您处于秘密位置,因此您将红色端口和蓝色端口连接到另一个世界。

您跳过红色端口,但另一端的人不知道蓝色端口在哪里,因此您必须告诉他们蓝色端口在哪里。他们试图通过港口,但无法进入,因为您尚未授权他们过来,并且今天的安全性也不足。

因此,您让他们在那里制作钥匙卡,然后将其带回自己的世界,并告诉自己的安全性“此钥匙卡不错,请让他们进入。”

现在,您可以再次返回,并告诉他们敲门。这次安全部门发现这些人是朋友,他们被允许进来。

所以:

localuser@localmachine:~$ ssh -r <remote port>:localhost:localport remoteuser@remoteaddress
remoteuser@remoteaddress:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/$USER/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/$USER/.ssh/id_rsa.
Your public key has been saved in /home/$USER/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:sadfhjkljashdlkfjahw039ufrg094ut remoteuser@remotemachine
The key's randomart image is:
+---[RSA 2048]----+
|=+ +. ..+  o .   |
|o ofake art. .   |
|asdfghjk         |
|+ .  .o. .  + .  |
|.+R . fx s ++ o  |
|B +  ..     . .  |
|=+ +.. .     .   |
|..o .. 0. 0.     |
| + o  ++      ==o|
+----[SHA256]-----+
remoteuser@remoteaddress:~$ clip ./ssh/id_rsa.pub (or copy it however you can)
remoteuser@remoteaddress:~$ exit
localuser@localmachine:~$ nano/vi/whatever .ssh/authorized_keys (paste the public key there)
localuser@localmachine:~$ ssh -r <remote port>:localhost:localport remoteuser@remoteaddress
remoteuser@remoteaddress:~$ ssh localhost -p <remote port>

同样,这主要是针对那些具有反向ssh的新功能并且遇到“公钥”错误的人。希望我能帮上忙!

相关问题
最新问题