カテゴリ: 未分類 | タグ:




  • 踏み台サーバ: (bastion)

    • global IP:
    • private IP:
    • port: 22
    • user: ec2-user
    • keyfile: bastion-keyfile.pem
  • 接続先サーバ: (web)

    • private IP:
    • port: 22
    • user: ec2-user
    • keyfile: web-keyfile.pem



ssh -L 10022: -i ~/.ssh/bastion-keyfile.pem ec2-user@


Last login: Mon May  3 13:16:07 2021 from

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
[ec2-user@ip-10-0-0-1 ~]$


ssh -i web-keyfile.pem ec2-user@localhost -p 10022


The authenticity of host '[localhost]:10022 ([::1]:10022)' can't be established.
ECDSA key fingerprint is SHA256:xxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes


Warning: Permanently added '[localhost]:10022' (ECDSA) to the list of known hosts.
Last login: Sun May  2 10:54:54 2021 from

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI

[ec2-user@ip-10-0-0-2 ~]$



Host bastion
 User ec2-user
 IdentityFile ~/.ssh/bastion-keyfile.pem
 Port 22

Host web
 User ec2-user
 IdentityFile ~/.ssh/web-keyfile.pem
 Port 22
 ProxyCommand ssh -CW %h:%p bastion

これで、ssh bastionと打つだけで踏み台サーバ経由でwebサーバにログインできます。

sshコマンドの-L, -C, -Wオプションの意味

これまでsshコマンドで-L, -C, -Wのオプションを使用しましたが、それぞれ下記の意味です。
-L フォーワードする
-C 通信内容をgzipで圧縮して通信量を節約する
-W ホストにフォワーとされる標準入出力をセキュアなチャネルでやり取りする

-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket

Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be for-
warded to the given host and port, or Unix socket, on the remote side.  This works by allocating a socket
to listen to either a TCP port on the local side, optionally bound to the specified bind_address, or to a
Unix socket.  Whenever a connection is made to the local port or socket, the connection is forwarded over
the secure channel, and a connection is made to either host port hostport, or the Unix socket
remote_socket, from the remote machine.

Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and
UNIX-domain connections).  The compression algorithm is the same used by gzip(1), and the ``level'' can be
controlled by the CompressionLevel option for protocol version 1.  Compression is desirable on modem lines
and other slow connections, but will only slow down things on fast networks.  The default value can be set
on a host-by-host basis in the configuration files; see the Compression option.
-W host:port

Requests that standard input and output on the client be forwarded to host on port over the secure channel.
Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings, though these can be overridden in the config-
uration file or using -o command line options.
Amazonギフト券チャージ で最大2.5%もお得!