利用autossh反向代理实现内网穿透
芮宇航
一、所需环境
本文的主要目的就是使一台可以连接外网但是不具有公网IP的linux主机可以通过公网IP进行连接
PC1 : 一台可以连接公网但是没有公网IP的linux主机
PC2 :一台具有公网IP的linux服务器,IP : 123.57.14.71
PC1和PC2均需具有ssh服务,并且PC1上应具有autossh
#安装autossh
sudo apt update
sudo apt install autossh
二、配置ssh免密登录(PC1上的操作)
1、生成密钥对
[shanx@ubuntu ~ 01:43 #2]$ sudo bash
[root@ubuntu ~ 01:43 #3]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:MJ123XEhj43z0IZ8213pmUVvkDoIwR8ng5Zj6123qMM root@ubuntu
The key's randomart image is:
+---[RSA 2048]----+
| ..+=so. ...|
| .oXW+ . .oo|
| ooX=** . .=|
| +.*ooo..o+|
| .SQo ...+ |
| o o |
| . B o |
| EF. . |
| M .A |
+----[SHA256]-----+
生成的密钥对文件为 :/root/.ssh/id_rsa,/root/.ssh/id_rsa.pub
2、将公钥拷贝到具有公网IP的服务器上
[root@ubuntu ~ 01:45 #5]$ ssh-copy-id -i /root/.ssh/id_rsa.pub root@123.57.14.71
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '123.57.14.71 (123.57.14.71)' can't be established.
ECDSA key fingerprint is SHA256:o2wkGhBKaBCRz7hgBLAh6Et9VvLKV9nIqiXxhmeV1rU.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@123.57.14.71's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@123.57.14.71'"
and check to make sure that only the key(s) you wanted were added.
3、验证结果
[root@ubuntu ~ 02:34 #7]$ ssh root@123.57.14.71
Last failed login: Sat Jul 18 10:42:20 CST 2020 from 115.171.45.135 on ssh:notty
There were 865 failed login attempts since the last successful login.
Last login: Tue Jul 14 23:15:46 2020 from 115.171.45.135
Welcome to Alibaba Cloud Elastic Compute Service !
这样就可以免密登录你的服务器了
如果对免密登录还有疑问可以参考 : ssh免密登录的详细说明
三、autossh的使用(PC1上的操作)
[root@ubuntu ~ 02:56 #9]$ autossh -M 10051 -fCNR 10050:0.0.0.0:22 root@123.57.14.71
[root@ubuntu ~ 02:58 #10]$ ps -aux | grep 10051
root 882 0.0 0.0 4528 76 ? Ss 01:50 0:00 /usr/lib/autossh/autossh -M 10051 -CNR 10050:0.0.0.0:22 root@123.57.14.71
root 884 0.0 0.0 56784 7288 ? S 01:50 0:00 /usr/bin/ssh -L 10051:127.0.0.1:10051 -R 10051:127.0.0.1:10052 -CNR 10050:0.0.0.0:22 root@123.57.14.71
root 1976 0.0 0.0 14408 1080 pts/0 R+ 02:59 0:00 grep --color=auto 10051
[root@ubuntu ~ 03:00 #11]$
autossh -M 10051 -fCNR 10050:0.0.0.0:22 root@123.57.14.71
autossh的参数 :
-M 10051 一个监听端口,ssh服务会超时退出,所以需要一个监听ssh连接状态的端口
-fCNR f 表示后台运行autossh默认就是后台运行的
C 允许压缩数据
N 不执行远程指令
R 将远程主机(服务器)的某个端口转发到本地端指定机器的指定端口
10050:0.0.0.0:22 指定PC2上访问哪个地址和IP时会映射到PC1上,0.0.0.0表示所有IP,本参数的意思就是将PC2上所有访问10050端口ssh连接的映射到PC1的22端口
root@123.57.14.71 服务器PC2的用户名和IP
如果执行完命令之后,可以查看到/usr/bin/ssh -L 10051:127.0.0.1:10051 -R 10051:127.0.0.1:10052 -CNR 10050:0.0.0.0:22 root@123.57.14.71 这样的一条进程说明程序启动正常
测试一下,在任意的机器上输入ssh -p 10050 shanxin@123.57.14.71,即可连接到PC1上
接下来只要将这条命令设置成开机自启就可以做到随时随地的连接到PC1上了
[root@ubuntu ~ 03:25 #13]$ ssh -p 10050 shanxin@123.57.14.71
shanx@123.57.14.71's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
960 packages can be updated.
0 updates are security updates.
New release '18.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sat Jul 18 02:35:29 2020 from 127.0.0.1
四、许久之后的补充
1、反向ssh的本质是端口映射
借用上文中的例子 : autossh -M 10051 -fCNR 10050:0.0.0.0:22 root@123.57.14.71
1.这条命令的实际作用是将123.57.14.71这台服务器的端口映射到运行这条命令的服务器的22端口
2.由上可知,我们还可以将本地的web端口80,8080等映射到公网举例:autossh -M 10061 -fCNR 10060:0.0.0.0:80 root@123.57.14.71
上面的命令运行成功后,在任意的浏览器打开123.57.14.71:10060都相当于打开本地的127.0.0.1:80
2、ssh-copy-id 这条命令的本质
# 将之前的命令复制出来 : ssh-copy-id -i /root/.ssh/id_rsa.pub root@123.57.14.71
# 关于其中的参数 -i /root/.ssh/id_rsa.pub,先来看一下这个文件里有什么
[root@ubuntu ~ 03:25 #13]$ sudo cat /root/.ssh/id_rsa.pub
[sudo] password for shanx:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDe77EhZ3lWkLd3jgCVEiNWXc/NmtBEUh3WybwzOuqZ/bzAPPb38XuZzkotxxp0yTw/8aiO/QFsRJJjsnGI5Yt1sjxWLkaqpIAxIO6hGrMHj/p4Eu+FZtrEQYbc0LFG+C+vOugbCqQ0WXG1wWOzXZBdOgU8pJP/0eAvIyHn7IdVUp+YiIQ2TJyxCb6CIxviAw/utohCIfy0Il6Nvq678mQICp3ql1w8sTfwjUE/7KFApwn81YFZ6oMMiu36dWn2Ws6FKIr1+qJmxEYU4UAlfqsX/6DHxqK+i6WzBF63wsUNy7p/wlNbBjUd23bvs3axaNZKTVz8q1KYQ/X+lhXhYEpZ root@ubuntu
# 具体的查验过程就不叙述了得出的结论是ssh-copy-id这条命令将/root/.ssh/id_rsa.pub文件的内容以追加的形式写入到123.57.14.71的/root/.ssh/authorized_keys文件中
root@VM-0-2-ubuntu:/root/.ssh# cd /root/.ssh/
root@VM-0-2-ubuntu:~/.ssh# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDe77EhZ3lWkLd3jgCVEiNWXc/NmtBEUh3WybwzOuqZ/bzAPPb38XuZzkotxxp0yTw/8aiO/QFsRJJjsnGI5Yt1sjxWLkaqpIAxIO6hGrMHj/p4Eu+FZtrEQYbc0LFG+C+vOugbCqQ0WXG1wWOzXZBdOgU8pJP/0eAvIyHn7IdVUp+YiIQ2TJyxCb6CIxviAw/utohCIfy0Il6Nvq678mQICp3ql1w8sTfwjUE/7KFApwn81YFZ6oMMiu36dWn2Ws6FKIr1+qJmxEYU4UAlfqsX/6DHxqK+i6WzBF63wsUNy7p/wlNbBjUd23bvs3axaNZKTVz8q1KYQ/X+lhXhYEpZ root@ubuntu
3、关于openwrt的环境的特殊处理
- 部分openwrt的系统的ssh客户端使用的是不是openssh,而是dropbear这个程序,这个程序生成的秘钥对与常用linux系统下的openssh是不通用的
- 不想写了,找个链接先放上吧 : https://blog.csdn.net/a30037338/article/details/71439954
类似资料: