ssh反向隧道_什么是反向SSH隧道？（以及如何使用）

最新推荐文章于 2024-10-05 15:18:26 发布

cumai3211

最新推荐文章于 2024-10-05 15:18:26 发布

阅读量3.8k

点赞数 2

文章标签：网络 linux java python ssh

原文链接：https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/

版权

ssh反向隧道

SSH prompt on a laptop — Eny Setiyowati/Shutterstock.com Eny Setiyowati / Shutterstock.com

Need to SSH to an unreachable Linux computer? Have it call you, then burrow down that connection to get your own remote SSH session. We show you how.

需要通过SSH连接到无法访问Linux计算机吗？让它打电话给您，然后深入该连接以获取您自己的远程SSH会话。我们向您展示如何。

当您想使用反向SSH隧道时 (When You’ll Want to Use Reverse SSH Tunneling)

Sometimes, remote computers can be hard to reach. The site they are located at may have tight firewall rules in place, or perhaps the local admin has set up complex Network Address Translation rules. How do you reach such a computer if you need to connect to it?

有时，远程计算机可能很难到达。他们所在的站点可能具有严格的防火墙规则，或者本地管理员已经设置了复杂的网络地址转换规则。如果需要连接到这样的计算机，该如何找到它？

Let’s establish some labels. Your computer is the local computer because it is near you. The computer you are going to connect to is the remote computer because it is in a different location than you.

让我们建立一些标签。您的计算机是本地计算机，因为它在您附近。您要连接的计算机是远程计算机，因为它与您的位置不同。

To differentiate between the local and remote computers used in this article, the remote computer is called “howtogeek” and is running Ubuntu Linux (with purple terminal windows). The local computer is called “Sulaco” and is running Manjaro Linux (with yellow terminal windows).

为了区分本文中使用的本地计算机和远程计算机，该远程计算机称为“ howtogeek”，并运行Ubuntu Linux(带有紫色终端窗口)。本地计算机称为“ Sulaco”，并且正在运行Manjaro Linux(带有黄色的终端窗口)。

Normally you’d fire up an SSH connection from the local computer and connect to the remote computer. That isn’t an option in the networking scenario we’re describing. It really doesn’t matter what the specific network issue is—this is useful whenever you can’t SSH straight to a remote computer.

通常，您需要从本地计算机启动SSH连接，然后连接到远程计算机。在我们描述的网络场景中，这不是一个选择。实际上，具体的网络问题是什么都没关系-每当您无法直接通过SSH直接连接到远程计算机时，此功能就很有用。

But if the networking configuration on your end is straightforward, the remote computer can connect to you. That alone isn’t sufficient for your needs, however, because it doesn’t provide you with a working command-line session on the remote computer. But it is a start. You have an established connection between the two computers.

但是，如果您一端的网络配置很简单，则远程计算机可以连接到您。但是，仅凭此一项不足以满足您的需求，因为它不能为您提供远程计算机上有效的命令行会话。但这是一个开始。您在两台计算机之间建立了连接。

The answer lies in reverse SSH tunneling.

答案在于反向SSH隧道。

什么是反向SSH隧道？ (What Is Reverse SSH Tunneling?)

Reverse SSH tunneling allows you to use that established connection to set up a new connection from your local computer back to the remote computer.

反向SSH隧道允许您使用已建立的连接来建立从本地计算机到远程计算机的新连接。

Because the original connection came from the remote computer to you, using it to go in the other direction is using it “in reverse.” And because SSH is secure, you’re putting a secure connection inside an existing secure connection. This means your connection to the remote computer acts as a private tunnel inside the original connection.

因为原始连接是从远程计算机到您的，所以将其用于另一个方向就是“反向”使用它。而且由于SSH是安全的，因此您要将安全连接放在现有的安全连接中。这意味着您与远程计算机的连接充当原始连接内的专用隧道。

And so we arrive at the name “reverse SSH tunneling.”

因此，我们将其命名为“反向SSH隧道”。

它是如何工作的？ (How Does It Work?)

Reverse SSH tunneling relies on the remote computer using the established connection to listen for new connection requests from the local computer.

反向SSH隧道依赖于使用已建立连接的远程计算机来侦听来自本地计算机的新连接请求。

The remote computer listens on a network port on the local computer. If it detects an SSH request to that port, it relays that connection request back to itself, down the established connection. This provides a new connection from the local computer to the remote computer.

远程计算机在本地计算机上的网络端口上侦听。如果它检测到对该端口的SSH请求，则会通过已建立的连接将该连接请求中继回自身。这提供了从本地计算机到远程计算机的新连接。

It’s easier to set up than it is to describe.

设置起来比描述起来容易。

使用SSH反向隧道 (Using SSH Reverse Tunneling)

SSH will already be installed on your Linux computer, but you may need to start the SSH daemon (sshd) if the local computer has never accepted SSH connections before.

SSH已经安装在Linux计算机上，但是如果本地计算机以前从未接受过SSH连接，则可能需要启动SSH守护程序(sshd)。

sudo systemctl start sshd

To have the SSH daemon start each time you reboot your computer, use this command:

要在每次重新引导计算机时启动SSH守护程序，请使用以下命令：

sudo systemctl enable sshd

sudo systemctl enable sshd in a terminal window

On the remote computer, we use the following command.

在远程计算机上，我们使用以下命令。

The -R (reverse) option tells ssh that new SSH sessions must be created on the remote computer.
-R (反向)选项告诉ssh必须在远程计算机上创建新的SSH会话。
The “43022:localhost:22” tells ssh that connection requests to port 43022 on the local computer should be forwarded to port 22 on the remote computer. Port 43022 was chosen because it is listed as being unallocated. It isn’t a special number.
“ 43022：localhost：22”告诉ssh ，到本地计算机上的端口43022的连接请求应转发到远程计算机上的端口22。选择端口43022是因为它被列为未分配。这不是一个特殊的数字。
dave@sulaco.local is the user account the remote computer is going to connect to on the local computer.
dave@sulaco.local是远程计算机要在本地计算机上连接的用户帐户。

ssh -R 43022:localhost:22 dave@sulaco.local

You may get a warning about having never connected to the local computer before. Or you may see a warning as the connection details are added to the list of recognized SSH hosts. What you see—if anything—depends on whether connections have ever been made from the remote computer to the local computer.

您可能会收到有关从未连接过本地计算机的警告。或者，因为连接详细信息已添加到已识别的SSH主机列表中，您可能会看到一条警告。您看到的内容(如果有)取决于是否从远程计算机到本地计算机建立了连接。

You will be prompted for the password of the account you are using to connect to the local computer.

系统将提示您输入用于连接到本地计算机的帐户的密码。

SSH connection details in a terminal window

Note that when the connection has been made the command prompt changes from dave@howtogeek to dave@sulaco.

请注意，建立连接后，命令提示符将从dave @ howtogeek更改为dave @ sulaco。

We’re now connected to the local computer from the remote computer. That means we can issue commands to it. Let’s use the who command to see the logins on the local computer.

现在，我们已从远程计算机连接到本地计算机。这意味着我们可以向其发出命令。让我们使用who命令查看本地计算机上的登录名。

who

We can see that the person with the user account called dave has logged in to the local computer, and the remote computer has connected (using the same user credentials) from IP address 192.168.4.25.

我们可以看到，具有名为dave的用户帐户的人员已登录到本地计算机，并且远程计算机已从IP地址192.168.4.25连接(使用相同的用户凭据)。

连接到远程计算机 (Connecting to the Remote Computer)

Because the connection from the remote computer is successful, and it is listening for connections, we can try to connect to the remote computer from the local one.

因为来自远程计算机的连接成功，并且正在侦听连接，所以我们可以尝试从本地计算机连接到远程计算机。

The remote computer is listening on port 43022 on the local computer. So—somewhat counter-intuitively—to make a connection to the remote computer, we ask ssh to make a connection the local computer, on port 43022. That connection request will be forward to the remote computer.

远程计算机正在侦听本地计算机上的端口43022。因此，出于某种与直觉相反的方式，要与远程计算机建立连接，我们要求ssh在端口43022上与本地计算机建立连接。该连接请求将转发至远程计算机。

ssh localhost -p 43022

We are prompted for the user account password, then connected to the remote computer from the local computer. Our Manjaro computer happily says, “Welcome to Ubuntu 18.04.2 LTS”.

系统提示您输入用户帐户密码，然后从本地计算机连接到远程计算机。我们的Manjaro计算机愉快地说：“欢迎使用Ubuntu 18.04.2 LTS”。

reverse ssh tunnel connection to remote computer

Note that the command prompt has changed from dave@sulaco to dave@howtogeek. We’ve achieved our goal of making an SSH connection to our hard-to-reach remote computer.

请注意，命令提示符已从dave @ sulaco更改为dave @ howtogeek。我们已经实现了与难以访问的远程计算机建立SSH连接的目标。

通过密钥使用SSH (Using SSH With Keys)

To make it more convenient to connect from the remote computer to the local computer, we can set up SSH keys.

为了使从远程计算机到本地计算机的连接更加方便，我们可以设置SSH密钥。

On the remote computer, type this command:

在远程计算机上，键入以下命令：

ssh-keygen

You will be prompted for a passphrase. You can press Enter to ignore the passphrase questions, but this is not recommended. It would mean that anyone on the remote computer could make an SSH connection to your local computer without being challenged for a password.

系统将提示您输入密码。您可以按Enter键忽略密码短语问题，但是不建议这样做。这意味着远程计算机上的任何人都可以与本地计算机建立SSH连接，而无需输入密码。

Three or four words separated by symbols will make a robust passphrase.

由符号分隔的三个或四个单词将构成一个可靠的密码短语。

Your SSH keys will be generated.

将会生成您的SSH密钥。

We need to transfer the public key to the local computer. Use this command:

我们需要将公钥转移到本地计算机。使用此命令：

ssh-copy-id dave@sulaco.local

You will be prompted for the password for the user account you are logging in to, in this case, dave@sulaco.local.

系统将提示您输入要登录的用户帐户的密码，在本例中为dave@sulaco.local。

transferring SSH keys to the local computer in a terminal window

The first time you make a connection request from the remote computer to the local computer, you will have to provide the passphrase. You will not have to enter it again for future connection requests, for as long as that terminal window remains open.

第一次从远程计算机向本地计算机发出连接请求时，必须提供密码。只要该终端窗口保持打开状态，您就不必为以后的连接请求再次输入它。

并非所有隧道都令人恐惧 (Not All Tunnels Are Scary)

Some tunnels can be dark and twisty, but reverse SSH tunneling isn’t too hard to navigate if you can keep the relationship between the remote computer and local computer straight in your head. Then reverse it.

有些隧道可能是黑暗而曲折的，但是如果您可以将远程计算机和本地计算机之间的关系摆在脑海中，那么反向SSH隧道就不太难导航。然后将其反转。