如何使用JSch SSH连接到另一台SSH服务器后面的服务器？ [英] How to SSH to a server behind another SSH server using JSch?

问题描述

我需要能够从Java程序ssh到远程服务器，从那里SSH到另一台服务器。我的客户端上有两个服务器的凭据。

I need to be able to ssh from a Java program into a remote server, and from there SSH to another server. I have credentials for both servers on my client.

这些命令将作为常规字符串（无用户输入）从应用程序内自动传递。我需要能够在第二台服务器上运行这些自定义命令，并能够根据输出和一些简单的逻辑决定在运行时发出什么命令。

The commands will be passed automatically from within the app as regular strings (no user input). I need to be able to run those custom commands on the second server and be able to decide what commands to issue during runtime, based on the output and some simple logic.

我可以使用JSch来做到这一点，如果是的话，我应该从哪里开始研究？ （例子，信息）

Can I use JSch to do that and if yes, where should I start look into? (Examples, info)

============================== ===============================

=============================================================

增加：

线程main中的异常com.jcraft.jsch.JSchException：
UnknownHostKey：host.net。 RSA密钥指纹是'blahblahblah'

Exception in thread "main" com.jcraft.jsch.JSchException: UnknownHostKey: host.net. RSA key fingerprint is 'blahblahblah'

到目前为止，我通过修改known_hosts文件并在那里手动添加主机来解决这个问题。
我可以通过设置一个选项告诉JSch在询问YES-NO问题时自动按YES来绕过这个小问题吗？

as till now, I am solving this problem by modifying the known_hosts file and adding host manually in there. Can I bypass this little problem by settings an option somewhere telling the JSch to press YES automatically when this YES-NO question is asked?

推荐答案

要连接到防火墙后面的第二台服务器，原则上有两个选项。

To connect to a second server behind a firewall, there are in principle two options.

天真的是在第一台服务器（来自exec频道）上调用 ssh ，表明正确的服务器。这需要使用JSch进行代理转发，并且也不提供JSch API来访问第二个服务器，只提供ssh命令行。

The naive one would be to call ssh on the first server (from an exec channel), indicating the right server. This would need agent forwarding with JSch, and also doesn't provide the JSch API to access the second server, only the ssh command line.

更好的是使用与第一台服务器的连接来构建TCP隧道，并使用此隧道连接到第二台服务器。 JSch Wiki包含 ProxySSH类（以及一些示例）允许使用JSch会话作为第二个JSch会话的隧道的代码）。 （免责声明：本课程主要由我撰写，得到了JSch作者的一些支持。）

The better one would be to use the connection to the first server to build up a TCP Tunnel, and use this tunnel to connect to the second server. The JSch Wiki contains a ProxySSH class (together with some example code) which allows to use a JSch session as a tunnel for a second JSch session. (Disclaimer: This class was written mainly by me, with some support from the JSch author.)

当您连接到第二台服务器时，请使用 shell 频道或一系列 exec 频道来执行你的命令。 （参见 Shell，Exec或Subsystem Channel ） JSch Wiki概述，以及 Javadocs 了解详情。）

When you have your connection to the second server, use either a shell channel or a series of exec channels to execute your commands. (See Shell, Exec or Subsystem Channel in the JSch Wiki for an overview, and the Javadocs for details.)

对于 unknown-host-key 问题：

安全版本将在之前收集所有主机密钥（以安全的方式）并将它们放入known_hosts文件中。 （如果您只是信任提供给您的密钥，则您很容易受到中间人攻击。如果您的网络无关紧要，因为它是物理安全的，对您有好处。）

The secure version would be to collect all host keys (in a secure way) before and put them in the known_hosts file. (If you simply trust the key which is presented to you, you are vulnerable to a man-in-the-middle attack. If these are of no concern in your network, since it is physically secured, good for you.)

方便的版本正在设置配置选项 StrictHostKeyChecking 到否 - 这会将未知的主机密钥添加到主机密钥文件中：

The convenient version is setting the configuration option StrictHostKeyChecking to no - this will add unknown host keys to the host keys file:

JSch.setConfig("StrictHostKeyChecking", "no");

（您也可以在会话中单独设置它，如果您只想为代理设置它会话而不是隧道会话。或者使用是或询问覆盖隧道会话 - 在那里有MITM危险可能更大。）

(You can also set it individually on the sessions, if you only want to set it for the proxied sessions and not for the tunnel session. Or override it for the tunnel session with yesor ask - there the MITM danger might be greater.)

中间路径将启用实际询问用户（然后应将指纹与某些列表进行比较） - 为此，实施 UserInfo 界面并将对象提供给会话。 （JSch Wiki包含使用Swing JOptionPanes的示例实现，如果你的客户端程序在带有GUI的系统上运行，你可以简单地使用它。）

A middle way would be to enable actually asking the user (which then should compare the fingerprints to some list) - for this, implement the UserInfo interface and provide the object to the session. (The JSch Wiki contains an example implementation using Swing JOptionPanes, which you can simply use if your client program runs on a system with GUI.)

为了保存接受的主机密钥，你必须使用 JSch.setKnownHosts 方法，而不是带有InputStream参数的方法 - 否则每次重新启动客户端时都必须重复接受。

For the saving of accepted host keys to work, you must use the JSch.setKnownHosts method with a file name argument, not the one with an InputStream argument - else your accepting will have to be repeated for each restart of your client.

这篇关于如何使用JSch SSH连接到另一台SSH服务器后面的服务器？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！