使用代理在多台机器上进行 Python ssh 隧道传输

Question

A little context is in order for this question: I am making an application that copies files/folders from one machine to another in python. The connection must be able to go through multiple machines. I quite literally have the machines connected in serial so I have to hop through them until I get to the correct one.

Currently, I am using python's subprocess module (Popen). As a very simplistic example I have

import subprocess

# need to set strict host checking to no since we connect to different
# machines over localhost
tunnel_string = "ssh -oStrictHostKeyChecking=no -L9999:127.0.0.1:9999 -ACt machine1 ssh -L9999:127.0.0.1:22 -ACt -N machineN"

proc = subprocess.Popen(tunnel_string.split())
# Do work, copy files etc. over ssh on localhost with port 9999
proc.terminate()

My question: When doing it like this, I cannot seem to get agent forwarding to work, which is essential in something like this. Is there a way to do this?

I tried using the shell=True keyword in Popen like so

tunnel_string = "eval `ssh-agent` && ssh-add && ssh -oStrictHostKeyChecking=no -L9999:127.0.0.1:9999 -ACt machine1 ssh -L9999:127.0.0.1:22 -ACt -N machineN"

proc = subprocess.Popen(tunnel_string, shell=True)
# etc

The problem with this is that the name of the machines is given by user input, meaning they could easily inject malicious shell code. A second problem is that I then have a new ssh-agent process running every time I make a connection.

I have a nice function in my bashrc which identifies already running ssh-agents and sets the appropriate environment variables and adds my ssh key, but of cource subprocess cannot reference functions defined in my bashrc. I tried setting the executable="/bin/bash" variable with shell=True in Popen to no avail.

Answer 1

You should give Fabric a try.

It provides a basic suite of operations for executing local or remote shell commands (normally or via sudo) and uploading/downloading files, as well as auxiliary functionality such as prompting the running user for input, or aborting execution.

The program below will give you a test run. First install fabric with pip install fabric then save the code below in fabfile.py

from fabric.api import *

env.hosts = ['server url/IP'] #change to ur server.
env.user = #username for the server
env.password = #password

def run_interactive():
    with settings(warn_only = True)
    cmd = 'clear'
    while cmd is not 'stop fabric':
        run(cmd)
        cmd = raw_input('Command to run on server')

Change to the directory containing your fabfile and run fab run_interactive then each command you enter will be run on the server

Answer 2

I tested your first simplistic example and agent forwarding worked. The only think that I can see that might cause problems is that the environment variables SSH_AGENT_PID and SSH_AUTH_SOCK are not set correctly in the shell that you execute your script from. You might use ssh -v to get a better idea of where things are breaking down.

Answer 3

Try setting up a SSH config file: https://linuxize.com/post/using-the-ssh-config-file/

I frequently am required to tunnel through a bastion server and I use a configuration like so in my ~/.ssh/config file. Just change the host and user names. This also presumes that you have entries for these host names in your hosts ( /etc/hosts ) file.

Host my-bastion-server
        Hostname my-bastion-server
        User user123
        AddKeysToAgent yes
        UseKeychain yes
        ForwardAgent yes

Host my-target-host
        HostName my-target-host
        User user123
        AddKeysToAgent yes
        UseKeychain yes

I then gain access with syntax like:
ssh my-bastion-server -At 'ssh my-target-host -At'

And I issue commands against my-target-host like:
ssh my-bastion-server -AT 'ssh my-target-host -AT "ls -la"'