ssh通过跳板机免密登陆

场景1 （A没有C的密码）

• A 可以免密登陆 B
• B 可以免密登陆 C
• A 不能免密登陆 C

需要：A通过B（跳板机）免密登陆C

方法参考https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b

eval `ssh-agent -s`

# 两个user可以不同，分别能免密登陆即可
# 私钥文件不是默认路径，可以在ssh-add后指定
ssh -o ProxyCommand='ssh -T -q -o "ForwardAgent yes" user@hostB:portB "ssh-add -t 1 && nc %h %p"' user@hostC:portC

参数的解释：

• ssh -T -q indicates that it should not allocate a pseudo-TTY (-T) and be quiet (-q);
• once on the jump host B, we add the key to the SSH keys of A through ssh-add;
• which only works because we forwarded the SSH agent using -o ‘ForwardAgent yes’.
• ssh-add -t 1 indicates that I want the key to be added only for the 1 second needed to authenticate to the final host C;
• and finally, nc %h %p initiates a netcat connection to the final host %h at port %p (both which will be filled out by SSH based on the information in the ~/.ssh/config file).

如果频繁使用，可以写入~/.ssh/config:

Host B
 User myusername
 HostName b.mycompany.com

Host C
 User myusername
 HostName c.intranet.mycompany.com
 ProxyCommand ssh -T -q -o 'ForwardAgent yes' B 'ssh-add -t 1 && nc %h %p'

可能遇到问题

Could not open a connection to your authentication agent.

可能有两个原因

1. ssh-agent未启动或环境变量未设置

# 查看进程是否启动，环境变量是否正确
ps -ef |grep ssh-agent
echo $SSH_AUTH_SOCK

# 可可重新启动
ssh-agent -s
# 复制输出的结果，手工执行导出两个环境变量

2. B上未开启AgentForwarding

# 开启sshd配置
vim /etc/ssh/sshd_config
 
AllowAgentForwarding yes
 
 
# 重启ssh
systemctl restart sshd

场景2 （A与C网络不直达）

• A 可以免密登陆 B
• B 与C网络可达，不需要免密登陆C
• A 与C网络不可达
• C 有A的公钥，即C的~/.ssh/authorized_keys里有A的id_rsa.pub

需要A通过B（跳板机）免密登陆C

直接执行

ssh -J user@hostB:portB user@hostC:portC