通常我们登陆服务器都是先到跳板机，然后从跳板机登陆其他服务器，这么做的原因是为了杜绝任何人都可以直接连接 SSH 服务器，带来安全隐患，但是每次都要 ssh 到跳板机，然后从跳板机在连远程主机实在是太麻烦了。我们可以通过 ssh 的 forward 模式直接就从本地连接到内网机器，具体操作如下
不管是 linux还是 mac 操作系统，我们都可以编辑vim ~/.ssh/config 文件，然后参考如下配置
Host tiaoban #跳板机名称 HostName 22.214.171.124 #跳板机 IP Port 222 #跳板机端口 User tiaoban #跳板机用户名 Host server #内网机器配置 HostName 192.168.1.117 Port 222 User root ProxyCommand ssh pi@tiaoban -W %h:%p Host client HostName 192.168.1.100 Port 222 User root ProxyCommand ssh pi@tiaoban -W %h:%p
➜ ssh ssh tiaoban The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Jul 5 01:14:12 2017 from localhost tiaoban@xxxxx:~ $ exit
➜ ssh ssh server The authenticity of host '192.168.1.117 (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is SHA256:b7RMtN02b8r/eWg2a5WPMzuNibmyDAKTxP9U0xNMgts. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.117' (ECDSA) to the list of known hosts. [email protected]'s password: Killed by signal 2.
连接 server 提示需要密码这个时候我们可以给远程主机添加一条本地的公钥
➜ ssh ssh-copy-id server /usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/wenjun/.ssh/id_rsa.pub" /usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Killed by signal 1. Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'server'" and check to make sure that only the key(s) you wanted were added.
➜ ssh ssh server Last login: Tue Jul 4 10:03:25 2017 from 192.168.1.155 [root@server ~]# exit logout Connection to 192.168.1.117 closed. Killed by signal 1.