ssh SendEnv在使用-J(跳转主机)时不起作用。

huangapple go评论64阅读模式
英文:

ssh SendEnv does not work when used with -J (jump host)?

问题

编辑:在编辑/etc/ssh/sshd_config后重启ssh的提示解决了我的问题(在Ubuntu上运行sudo systemctl restart ssh.service),但请查看被接受的答案以获得更多有用的故障排除。

原文:

我有一台服务器,通过跳转主机进行连接:

export MY_ENV=myvalue
ssh -o StrictHostKeyChecking=yes -o SendEnv=MY_ENV -J <myuser@jumpHostIp> <myuser@hostIp>

跳转主机和目标主机都在它们的/etc/ssh/sshd_config中有:

AcceptEnv MY_ENV

跳转主机和目标主机都在它们的/home/myuser/.ssh/authorized_keys文件中有将myuser限制为部署脚本的ssh密钥:

command=/home/myuser/deploy.sh ...公钥的其余部分...

在这个deploy.sh中,我想要使用$MY_ENV,但它不起作用。

是不是跳转主机以某种方式丢失了通过SendEnv传输的MY_ENV的值?
如果是的话,这是否是有意的,或者我如何在目标主机上访问deploy.sh中的MY_ENV的值?

英文:

Edit: The hint for restarting ssh after editing /etc/ssh/sshd_config solved my issue (sudo systemctl restart ssh.service on Ubuntu) but see the accepted answer for a lot more of useful troubleshooting.

Original:

I have a server which I connect to via a jump host:

export MY_ENV=myvalue
ssh -o StrictHostKeyChecking=yes -o SendEnv=MY_ENV -J <myuser@jumpHostIp> <myuser@hostIp>

Both the jump host and the host have in their /etc/ssh/sshd_config:

AcceptEnv MY_ENV

Both the jump host and the host have in their /home/myuser/.ssh/authorized_keys the ssh key limiting myuser to a deploy script:

command=/home/myuser/deploy.sh ...rest of public key...

Inside this deploy.sh I would like to use $MY_ENV, however it does not work.

Is using a jump host somehow dropping the value of MY_ENV transfered by SendEnv?
If yes is this intended or how can I access the value of MY_ENV in deploy.sh on the host?

答案1

得分: 1

编辑:在我们的迭代过程中,我细化了问题中提到的细节,部分重复了问题中已经提到的一些细节,以便更好地通用使用。


ssh的man页面指出:

请注意,在命令行上提供的配置指令通常适用于目标主机,而不适用于任何指定的跳转主机。请使用~/.ssh/config来为跳转主机指定配置。

因此,最终目标将接收通过“-o”添加的选项。由于跳转主机不会更改这些选项,因此无需为变量配置跳转主机以传递到目标主机。

目标服务器上sshd的配置

作为先决条件,需要配置_destination_-host的sshd服务以接受环境变量。允许使用通配符:

文件:/etc/ssh/sshd_config

AcceptEnv MY_*

更改sshd_config后,必须重新启动sshd以读取更新的配置。
(这个问题的解决方案...)

systemctl restart sshd

在重新启动sshd时,当前连接将保持不变(至少在使用“openssh-server”时如此

authorized_keys 中的陷阱

为了限制在目标系统上使用密钥的选项,可以添加授权的选项。

文件:限制为一个命令的authorized_keys

当省略“command”选项的值周围的引号时,整个PublicKey身份验证将失败:

command=/home/user/deploy.sh ssh-rsa AAAAB3NzaC1yc2EAA...

# sshd的DEBUG响应:
debug1: /home/user/.ssh/authorized_keys:1: bad key options: missing start quote

根据sshd_config中的设置,将回退到基于密码的身份验证,或者会出现“Permission denied (publickey)”错误。

即使命令中没有空格,也需要使用引号:

command=""/home/user/deploy.sh"" ssh-rsa AAAAB3NzaC1yc2EAA...

客户端命令的详细信息

注意:除了命令行选项,这些细节也可以在客户端用户的~/.ssh/config中配置。

要将所需的变量作为选项传递到命令行,有两种可能的语法变体:

-o SendEnv=MY_ENV
-o "SendEnv MY_ENV"

请不要忘记使用引号。

变量的可用性不仅仅是设置它,还必须导出它:

这将失败:

MY_ENV="Value"
echo $MY_ENV
Value

...尽管变量出现在当前shell中。

必需的是:

export MY_ENV="Value"
英文:

Edit: I refined the details regarded during our iteration process, partly dubbing some details already named in the question for better general use.


The man page of ssh states:
> Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified jump hosts. Use ~/.ssh/config to specify configuration for jump hosts.

So your final destination will receive the options added by -o. As the options are not touched by the jump host, it is not necessary to configure the jump host for the variables to pass to the destination host.

Config of sshd at the destination server

As a prerequisite the destination-host's sshd service has to be configured to accept the environment variable. Wildcards are allowed:

File: /etc/ssh/sshd_config

AcceptEnv MY_*

After a change of the sshd_config the sshd has to be restarted to read the updated configuration.
(the solution for this question ...)

systemctl restart sshd

The current connection will persist, when restarting the sshd (at least when using "openssh-server"

Pitfall in authorized_keys

To limit the key-usage at the destination system, an option can be added to the authorization.

File: authorized_keys with limitation to a command

The whole PublicKey-Authentication will fail, when omitting the " quotations enclosing the value of the command option:

command=/home/user/deploy.sh ssh-rsa AAAAB3NzaC1yc2EAA...

# DEBUG response of sshd:
debug1: /home/user/.ssh/authorized_keys:1: bad key options: missing start quote

Depending on the settings in sshd_config a fallback to password based authentication, respectively a Permission denied (publickey). will follow.

The " quotations are required, even if there is no white space in the command:

command="/home/user/deploy.sh" ssh-rsa AAAAB3NzaC1yc2EAA...

Details for the client's command

Note: Besides the command-line options these details can be configured at the client user's ~/.ssh/config.

To pass the desired variable as option at the command-line two variants are possible as syntax:

-o SendEnv=MY_ENV
-o "SendEnv MY_ENV"

Please do not forget the " quotes.

Essential for the availbility of the variable is not only to set it, you have to export it:

This will fail:

MY_ENV="Value"
echo $MY_ENV
Value

... despite the fact that the variable shows up in the current shell.

Required:

export MY_ENV="Value"

huangapple
  • 本文由 发表于 2023年3月31日 20:16:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/75898440.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定