Edit: enquanto isso, eu enviei um bug com o openSSH ( link ). Se houver algum resultado, vou postar aqui também. Nova edição: esta limitação será resolvida no openSSH 7.3 ( veja aqui )
Eu uso um proxy / host de salto SSH em um local para se conectar às máquinas restantes nesse local. Tudo funciona bem, exceto os encaminhamentos de porta. Meu .ssh / config (com explicações no arquivo):
## a list of hostnames otherwise not known to my laptop,
## i. e. not in /etc/hosts
## at home, in my local network, "ssh server" will connect me to the server
Host server
Host archpi
Host banana
Host uncle
Host router
Host dlna
Host osmc
Host vostro
Host xps
Host thor
Host hp
## the jump host
Host jump
HostName my.dynamicdns.com
Port 2222
IdentityFile ~/.ssh/my-jump/remote_ed25519
ControlMaster auto
ControlPath ~/.ssh-cm-socket/%r@%h:%p
## the forwarding rule which does not work
## also, LocalForward x y:z does not work
DynamicForward 1080
## abroad, this stanza together with the * stanza will connect me
## to the hosts above via the jump host.
## Yes, private ssh keys sit in subdirectories. %h will resolve as
## "server/remote" here, resulting in ~/.ssh/my-server/remote_ed25519;
## $(dirname %h) will simply be "server"
Host */remote
IdentityFile ~/.ssh/my-%h_ed25519
ProxyCommand ssh -W $(dirname %h):22 jump
Ciphers arcfour
## at home, in my local network, "ssh server" will connect me to the server directly.
## abroad, via public wifi, and together with the */remote stanza,
## "ssh server/remote" will connect me to the server via the jump host.
## This identity file seems to be somewhere else, but isn't. In this stanza,
## %h will be resolved as "server" to ~/.ssh/my-server/remote_ed25519
Host *
Compression yes
CompressionLevel 1
ForwardAgent yes
ServerAliveInterval 60
User my
IdentityFile ~/.ssh/my-%h/remote_ed25519
Mais uma vez, tudo funciona bem. Eu posso ligar para "servidor" na minha LAN local e para "servidor / remoto" do exterior. Eu posso conectar a "saltar" via SSH, e o encaminhamento de porta será estabelecido. Só não quando se conecta a outro host via jump. Por quê? E, mais importante: como posso ter a porta encaminhada nesta configuração ssh?
Editar : Sempre que eu estou conectando diretamente para "pular", as portas serão encaminhadas. Sempre que eu estou conectando a outro host via "salto", não há encaminhamento. Nos arquivos de log, a única diferença parece ser
[...]
Authenticated to router/remote (via proxy).
debug2: fd 7 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: proc
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 91
debug2: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request [email protected] confirm 0
debug3: send packet: type 98
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env XDG_VTNR
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env HOSTNAME
debug3: Ignored env QUBES_ENV_SOURCED
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env VTE_VERSION
debug3: Ignored env HISTSIZE
debug3: Ignored env QUBES_KEYMAP
debug3: Ignored env WINDOWID
debug3: Ignored env QUBES_USER_KEYMAP
debug3: Ignored env USER
debug3: Ignored env LS_COLORS
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env PATH
debug3: Ignored env MAIL
debug3: Ignored env QT_X11_NO_MITSHM
debug3: Ignored env UPDTYPE
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env MODULEPATH
debug3: Ignored env LOADEDMODULES
debug3: Ignored env QREXEC_AGENT_PID
debug3: Ignored env SSH_ASKPASS
debug3: Ignored env HISTCONTROL
debug3: Ignored env XDG_SEAT
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env GNOME_DESKTOP_SESSION_ID
debug3: Ignored env LOGNAME
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env MODULESHOME
debug3: Ignored env VMTYPE
debug3: Ignored env LESSOPEN
debug3: Ignored env WINDOWPATH
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env DISPLAY
debug3: Ignored env BASH_FUNC_module()
debug3: Ignored env BASH_FUNC_scl()
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)
debug3: send packet: type 1
debug1: fd 2 clearing O_NONBLOCK
[user@personal ~]$ ss -lant4 | grep 1080
[user@personal ~]$
ProxyCommand ssh -W $(dirname %h):22 jump 2>log.txt : [...]
Authenticated to my.dynamicdns.com ([12.34.56.78]:2222).
debug3: ssh_init_stdio_forwarding: router:22
debug1: channel_connect_stdio_fwd router:22
debug1: channel 0: new [stdio-forward]
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: getpeername failed: Bad file descriptor
debug3: send packet: type 90
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 91
debug2: callback start
debug2: callback done
debug2: channel 0: open confirm rwindow 2097152 rmax 32768
debug3: send packet: type 1
debug1: channel 0: free: direct-tcpip: listening port 0 for router port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 direct-tcpip: listening port 0 for router port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536 (t4 r0 i0/0 o0/0 fd 4/5 cc -1)
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug3: fd 2 is not O_NONBLOCK
[...]
Authenticated to my.dynamicdns.com ([12.34.56.78]:2222).
debug1: Local connections to localhost:1080 forwarded to remote address socks:0
debug1: Local forwarding listening on ::1 port 1080.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 1080.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Requesting authentication agent forwarding.
[user@personal ~]$ ss -lant4 | grep 1080
LISTEN 0 128 127.0.0.1:1080 *:*
Todo o encaminhamento está aqui no log da conexão direta. A conexão via salto apenas indica debug1: getpeername failed: Bad file descriptor . Por que isso e como posso ter a porta encaminhada?
Editar 2: registros do servidor. Anexei os registros do servidor (nível 3) do host "saltar" aqui . Eles não são muito faladores em relação ao encaminhamento de porta. Presumivelmente, porque o encaminhamento de porta ocorre no cliente.
Ok. Tive a sensação de que precisa de algum cuidado extra, mas apenas testei com o encaminhamento de porta local e dinâmico (na linha de comando, para o host de destino) e funciona muito bem para mim.
O encaminhamento para o jumbox pode precisar de cuidados especiais, porque essa conexão só é executada ou talvez você não tenha permissões suficientes. A verificação dos registros com LogLevel DEBUG3 adicionado ao bloco Host jump pode lhe dar mais ideias.
Tags ssh proxy port-forwarding