ssh-agent介绍以及相关问题

Posted on | In | | 浏览

起因

ssh工具集中提供了一个ssh-agent的东西,第一次知道这个东西是在大概两年前发现的,当时公司开始使用跳板机即先登录中控,之后再登陆开发机,并且考虑到安全性是禁止将中控机的公钥放在各个开发机上面的,因为这样一来导致的结果就是,一旦中控机被攻陷那么整个内网也就连带被攻破了。所以每次开始的时候都是输入两次密码(比较建议的方式其实应该是中控放各个开发的密钥,然后禁止密码登陆)但是因为限定了中控机22端口的连接IP其实用密码还是密钥主要就是一个方便与否的问题了,而且当时给leader提议使用密钥的时候也被否了,囧

但是输两次密码这种东西也实在是有点太。。。麻烦了,而且觉得这么麻烦的登录方式一定有修复方案

发现

经过一番查找发现了ssh-agent配合修改好的ssh是可以进行密钥穿透的,对于A->B->C这种连接关系的机器,正常情况下是没有办法在登陆机器C的时候进行密钥认证的,但是如果使用ssh-agent的话是有方法实现的,如下为ssh-agent的文档介绍,简单来说就是一个密钥管理工具,使用的时候需要通过ssh-add命令将密钥添加进入ssh-agent中,我在shell里面有一个alias定义的就是 ssh-agent && ssh-add

1
2
3
4
5
6
ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA, ECDSA, Ed25519).  ssh-agent is usually started in the begin-
     ning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.  Through use of environ-
     ment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1).

     The agent initially does not have any private keys.  Keys are added using ssh-add(1).  Multiple identities may be stored in ssh-agent concurrently and
     ssh(1) will automatically use them if present.  ssh-add(1) is also used to remove keys from ssh-agent and to query the keys that are held in one.

同时需要修改/etc/ssh/ssh_config将ForwardAgent设置为yes(如果不想或者不方便修改配置,使用ssh -A),注意man文档中已经说明了该配置的安全隐患

1
2
3
4
5
6
Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine.  The argument must be ``yes''
             or ``no''.  The default is ``no''.

             Agent forwarding should be enabled with caution.  Users with the ability to bypass file permissions on the remote host (for the agent's Unix-
             domain socket) can access the local agent through the forwarded connection.  An attacker cannot obtain key material from the agent, however
             they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

到这里需要配置的就结束了,总结一下就是ssh-agent先将agent运行起来,之后使用ssh-add将私钥添加到agent当中去,这时候对于A->B->C这种连接关系,只需要将A的公钥同时放在B机器以及C机器上就可以进行公钥认证了,是不是很方便!

这样当登陆B机器之后ssh user@CIP就可以使用密钥登陆了

安全问题

然而方便所带来的便是相应的安全隐患,ssh-agent的原理是会生成一个sock文件进行密钥的转发,运行ssh-add -l可以查看添加进去的密钥同时在/tmp目录下面会有一个sock文件生成,这个时候如果有一个用户的权限>登录用户,即他可以访问该文件,那么。。。他只需要简单的执行一句SSH_AUTH_SOCK=/tmp/ssh-jlhtX14952/agent.14952; export SSH_AUTH_SOCK;那么在使用ssh登陆机器的时候就可以使用你的密钥了,换句话说就是此时你可以登陆机器C,那么别人也可以通过这种方式免密登陆机器C

1
2
ll /tmp/ssh-dqZQOn4916/agent.4916 
srwxr-xr-x 1 root root 0 10月  8 10:59 /tmp/ssh-dqZQOn4916/agent.4916

改进

ssh -t

ssh可以指定-t参数这样就可以直接从A登陆到C例如

1
2
ssh -p 22 -t root@$BIP "ssh root@$CIP"
#-t Force pseudo-terminal allocation.  This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful,e.g. when implementing menu services.  Multiple -t options force tty allocation, even if ssh has no local tty.

ProxyCommand

在ssh中有一个ProxyCommand可以用以指定连接服务器时使用代理考虑如下ssh配置,配合-w参数使用

1
2
3
4
5
6
7
8
9
10
Host center
	User root
	Hostname 1.2.3.4
	Port 10022

Host yjw
	User root
	Hostname 192.168.31.254
	Port 22
	ProxyCommand ssh -q -W %h:%p center

ProxyCommand

1
2
3
4
5
6
7
8
9
10
11
12
>          Specifies the command to use to connect to the server.  The command string extends to the end of the line, and is executed with the user’s
>          shell.  In the command string, ‘%h’ will be substituted by the host name to connect and ‘%p’ by the port.  The command can be basically any-
>          thing, and should read from its standard input and write to its standard output.  It should eventually connect an sshd(8) server running on
>          some machine, or execute sshd -i somewhere.  Host key management will be done using the HostName of the host being connected (defaulting to
>          the name typed by the user).  Setting the command to “none” disables this option entirely.  Note that CheckHostIP is not available for con-
>          nects with a proxy command.
>
>          This directive is useful in conjunction with nc(1) and its proxy support.  For example, the following directive would connect via an HTTP
>          proxy at 192.0.2.0:
>
>             ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
>
-W host:port
        Requests that standard input and output on the client be forwarded to host on port over the secure channel.  Implies -N, -T,
        ExitOnForwardFailure and ClearAllForwardings.  Works with Protocol version 2 only.

ProxyJump

在7.3版本之后ssh支持了新的额外指令ProyJump

1
2
3
4
Host server2
        HostName 192.168.5.38
        ProxyJump user1@jumphost1.example.org:22
        User fred

-J [user@]host[:port]

Connect to the target host by first making a ssh connection to the jump host and then establishing a TCP forwarding to the ultimate destination from there.Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive.

ProxyJump Specifies one or more jump proxies as [user@]host[:port]. Multiple proxies may be separated by comma characters and will be visited sequentially. Setting this option will cause ssh(1) to connect to the target host by first making a ssh(1) connection to the specified ProxyJump host and then establishing a TCP forwarding to the ultimate target from there. Note that this option will compete with the ProxyCommand option - whichever is specified first will prevent later instances of the other from taking effect.

参考链接

安全隐患

安全问题

外文安全问题,以及替换方案

多种跳板机连接方案

转载请注明来源链接 http://just4fun.im/2017/10/02/ssh与堡垒机/ 尊重知识,谢谢:)