当前位置：文江博客话题详情

基于网络IP的ProxyJump ssh动态应用

发布于 2025-01-10 02:50:34 字数 184 浏览 0 评论 0原文

我在私有网络中有一个私有 git 服务器，可以通过代理跳转盒访问。

问题：当我在本地网络上时，不需要代理，因为我可以直接连接到盒子。

两种情况都使用相同的主机名。

问题：有没有办法根据我是否在 git 主机本地网络上动态地将 ProxyJump 配置应用到 ssh 命令？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

习ぎ惯性依靠 2025-01-17 02:50:34

您可以使用 Match exec 指令检查您的网络并在 ~/.ssh/config 中启用 ProxyJump

语法如下：

Match host git.server !exec "ifconfig <nw adapter> | grep <local nw ip pattern>"
    ProxyJump user@<jump server>

Host server.git.com
    Hostname <git server ip>

示例：

Match host git.server !exec "ifconfig eth0 | grep 192.168.1.1"
    ProxyJump user@jumpserver

Host server.git.com
    Hostname 10.1.1.18

You can use Match exec directive to check your network and enable ProxyJump in your ~/.ssh/config

Here is the syntax:

Match host git.server !exec "ifconfig <nw adapter> | grep <local nw ip pattern>"
    ProxyJump user@<jump server>

Host server.git.com
    Hostname <git server ip>

Example:

Match host git.server !exec "ifconfig eth0 | grep 192.168.1.1"
    ProxyJump user@jumpserver

Host server.git.com
    Hostname 10.1.1.18

回复收藏 0 原文

疯到世界奔溃 2025-01-17 02:50:34

您希望完成的是所谓的堡垒主机配置。下面的配置使用 SSH 的 Match 指令与 nc 命令相结合来检测与远程主机的连接。如果在本地连接到目标主机，则不使用ProxyJump，否则，到远程主机的连接将通过堡垒主机建立连接。

注意：这适用于 SSH v 7.3 及更高版本，并要求堡垒主机上的 ssh 守护程序启用了 AllowTcpForwarding。

您需要像这样配置您的 ~/.ssh/config：

# Define the Bastion Host
Host bastion #this is a nickname. Call it what you want
    HostName host.example.com  # ip address or hostname
    Port 1234     # public facing SSH port
    User username # authorized username on the bastion host

# Remote host behind bastion
Host host-nickname
    HostName remote.internal.com # IP or hostname
    Port 5678                    # Only needed if not port 22
    User username                # authorized username on the remote

    # On linux, the output of nc is silent whether true or false
    # Match !exec "nc -z -w 1 %h %p"

    # On MacOS, nc prints data to STDOUT on success so suppress it
    # Also, -G 1 is needed on MacOS to timeout TCP connects after 1 second
    Match !exec "nc -z -w 1 -G 1 %h %p >/dev/null 2>&1"
    ProxyJump bastion

请注意，Match 指令之后的所有指令都将根据 Match< 的真实性执行/code> 指令。因此，您可以决定在 Match 指令之前（始终映射端口）或之后（仅在 Match 为 true 时映射端口）使用 LocalForward 指令转发端口。

~/.ssh/config 非常通用且功能强大。此外，此配置还允许您的主机指令和映射在任何连接管理应用程序中工作，甚至通过简单地调用 ssh remote_host 在命令行上工作。它还可以移植到任何使用 ssh 的主机（Windows、Linux、MacOS 等）（特定于操作系统的 nc 命令选项除外）。此方法还允许使用配置文件中的注释更好地记录事情，这在某些连接管理器中是不可能的。

甚至可能有一种方法可以使用三元运算符来使用操作系统的正确选项来调用 nc 命令，但我还没有尝试过。

我用这种方法替换了一个非常大且复杂的仅 iTerm2 配置，以便我可以在需要时轻松地从 MacOS 来回迁移到 Linux。这很有用，因为我的连接管理器 (iTerm2) 现在仅用于颜色管理和其他特定于 UI 的选项。

有关详细信息，请参阅 https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Passing_Through_One_or_More_Gateways_Using_ProxyJump

What you are looking to accomplish is a called a Bastion Host configuration. The configuration below uses SSH's Match directive combined with the nc command to detect connectivity to the remote host. If you are connected locally to the target host, no ProxyJump is used, otherwise, the connection to the remote host passes through the bastion host to establish the connection.

Note: This works on SSH v 7.3 and above and requires that the ssh daemon on the bastion host have AllowTcpForwarding enabled.

You need to configure your ~/.ssh/config like so:

# Define the Bastion Host
Host bastion #this is a nickname. Call it what you want
    HostName host.example.com  # ip address or hostname
    Port 1234     # public facing SSH port
    User username # authorized username on the bastion host

# Remote host behind bastion
Host host-nickname
    HostName remote.internal.com # IP or hostname
    Port 5678                    # Only needed if not port 22
    User username                # authorized username on the remote

    # On linux, the output of nc is silent whether true or false
    # Match !exec "nc -z -w 1 %h %p"

    # On MacOS, nc prints data to STDOUT on success so suppress it
    # Also, -G 1 is needed on MacOS to timeout TCP connects after 1 second
    Match !exec "nc -z -w 1 -G 1 %h %p >/dev/null 2>&1"
    ProxyJump bastion

Note that all directives after the Match directive will be executed based on the truthiness of the Match directive. So you may decide to forward ports using the LocalForward directive before the Match directive (always map the port) or after (only map the port if Match is true).

~/.ssh/config is extremely versatile and powerful. Also this configuration allows your host directives and mappings to work in any connection management application or even on the command line by simply calling ssh remote_host. It is also portable (except for OS-specific nc command options) to any host that uses ssh (Windows, Linux, MacOS, etc). This method also allows for documenting things much better using comments in the config file which isn't possible in some connection managers.

There might even be a way to use a ternary operator to call the nc command using the right options for the OS, but I haven't tried it.

I replaced a very large and complicated iTerm2-only configuration with this method so that I can easily migrate back and forth from MacOS to Linux when I need to. This is useful since my connection manager (iTerm2) is now only used for color management and other UI-specific options.

For more info see https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Passing_Through_One_or_More_Gateways_Using_ProxyJump

回复收藏 0 原文

~没有更多了~