通常我们登陆服务器都是先到跳板机,然后从跳板机登陆其他服务器,这么做的原因是为了杜绝任何人都可以直接连接 SSH 服务器,带来安全隐患,但是每次都要 ssh 到跳板机,然后从跳板机在连远程主机实在是太麻烦了。我们可以通过 ssh 的 forward 模式直接就从本地连接到内网机器,具体操作如下
客户端配置
不管是 linux还是 mac 操作系统,我们都可以编辑vim ~/.ssh/config 文件,然后参考如下配置
Host tiaoban #跳板机名称
HostName 221.41.148.63 #跳板机 IP
Port 222 #跳板机端口
User tiaoban #跳板机用户名
Host server #内网机器配置
HostName 192.168.1.117
Port 222
User root
ProxyCommand ssh pi@tiaoban -W %h:%p
Host client
HostName 192.168.1.100
Port 222
User root
ProxyCommand ssh pi@tiaoban -W %h:%p连接
1.连接测试跳板机
➜ ssh ssh tiaoban
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 5 01:14:12 2017 from localhost
tiaoban@xxxxx:~ $ exit2.连接 server
➜ ssh ssh server
The authenticity of host '192.168.1.117 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:b7RMtN02b8r/eWg2a5WPMzuNibmyDAKTxP9U0xNMgts.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.117' (ECDSA) to the list of known hosts.
[email protected]'s password:
Killed by signal 2.连接 server 提示需要密码这个时候我们可以给远程主机添加一条本地的公钥
➜ ssh ssh-copy-id server
/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/wenjun/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Killed by signal 1.
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'server'"
and check to make sure that only the key(s) you wanted were added.然后再次连接就不需要啦
➜ ssh ssh server
Last login: Tue Jul 4 10:03:25 2017 from 192.168.1.155
[root@server ~]# exit
logout
Connection to 192.168.1.117 closed.
Killed by signal 1.
