Linux SSH client key forwarding

Preface

When a company's servers are deployed on the Internet, a jump server is set up. to access other servers of the company, an SSH jump from the jump server is required (the firewall rules will be configured accordingly). As mentioned above, the Internet servers must basically log on through the certificate. As a result, we are faced with a situation where the local ssh-> stepping stone-> the target machine. For password verification, this problem does not exist, but for certificate login, it brings about an SSH key forwarding problem.

Linux SSH client key forwarding

If it is a Linux client, when the SSH jump from the Linux client, we usually execute the command

SSH blue @ stepping stone IP Address

Then we jump to the target machine on the jump host.

SSH blue @ IP address of the target machine

The IP address of the stepping stone and the IP address of the target machine are already under the blue account. SSH/authorized_keys is added with the public key. The configuration is okay, but we will encounter an error called pubkey unauthorization because the stepping stone does not have the blue private key. There are always problems, and there are always solutions. SSH provides the forwarding key function, so we can jump from the local machine to the stepping stone machine to forward the private key.

Therefore, the correct method is to execute commands on the local Linux client.

Ssh-a blue @ stepping stone IP

-A indicates the forwarding key. Therefore, the key is forwarded to the jump server.

Next, run the command on the stepping stone.

Ssh-a blue @ IP address of the target machine

The-a parameter here is not necessary. If you do not need to jump from the target machine to another target machine, you do not need to continue forwarding the key.

In addition, you can configure the default configuration file of the local client and change it to the default forwarding key:

Modify ssh_config (not sshd_config, usually in/etc or/etc/ssh): change # forwardagent no to forwardagent Yes

Whether or not the stepping stone host needs to be configured. Similarly, refer to your needs.

Windows securecrt key forwarding

Configure proxy forwarding in securecrt in windows.

Here, we only configure the client to jump to the jump server forwarding key. As to whether the jump server can forward the key, we still need to refer to the above.