I've been struggling to set up a valid configuration to open a connection with a second machine, passing through another one, and using an id_rsa (which requests me a password) to connect to the third machine.
I've asked this question in another forum, but I've received no answer that could be considered very helpful.
The problem, better described, goes as follows:
Local machine: user1@localhost
Intermediary machine: user1@inter
Remote target: user2@final
I'm able to do the entire connection using pseudo-tty:
ssh -t inter ssh user2@final
(this will ask me the password for the id_rsa file I have in machine "inter")
However, for speeding things up, I'd like to set my .ssh/config file, so that I can simply connect to machine "final" using:
ssh final
What I've got so far — which does not work — is, in my .ssh/config file:
Host inter
User user1
HostName inter.com
IdentityFile ~/.ssh/id_rsa
Host final
User user2
HostName final.com
IdentityFile ~/.ssh/id_rsa_2
ProxyCommand ssh inter nc %h %p
The id_rsa file is used to connect to the middle machine (this requires me no password typing), and id_rsa_2 file is used to connect to machine "final" (this one requests a password).
I've tried mixing up some LocalForward
and/or RemoteForward
fields, and putting the id_rsa files in both first and second machines, but I could not seem to succeed with no configuration whatsoever.
P.S.: the thread I've tried to get some help from:
http://www.linuxquestions.org/questions/linux-general-1/proxycommand-on-ssh-config-file-4175433750/
Best Answer
METHOD 1 (use ssh-key on inter)
If you want to retain the authentication flow
This cannot be done with .ssh/config proxyhost.
What you need is bash shell alias (I hope you are using bash).
In
~/.bashrc
, add following lineIn command prompt, just type following
final
section in~/.ssh/config
is not used.Connection Details(1)
ssh -t inter ssh user2@final.com
can be view as followlocal
is only "talking" tointer
. There is no direct or indirect ssh connection betweenlocal
andfinal
.local
is just displaying the output ofssh user2@final.com
.METHOD 2 (use ssh-key on local)
Authentication with same ssh-key
Copy local
~/.ssh/id_ras.pub
toConnection Details(2)
ssh tunneling
Before we go into detail of
ProxyCommand
, lets look at the following exampleStep 1, on terminal window 1
Step 2, on terminal window 2
In terminal 1, a tunnel is setup between local port 2000 and final.com port 22. Anything sent to local port 2000 will be forward to final.com port 22 and vice versa.
In terminal 2, ssh connect to local port 2000, but actually is communicating with final.com port 22, which is the sshd.
With tunneling, local ssh client in Step 2 is connected with final.com sshd directly.
The "output" of local port 2000, is "raw" ssh daemon traffic.
Common usage of such tunnel is to access internal web server or email server. Following is example for web server
In the browser use following URL
The two end points of the tunnel are local port 2000, and final.com port 80.
Traffic coming in and out of tunnel end point "AS IS". Lets call that "raw" traffic.
ProxyCommand
The
ProxyCommand
take it one step further. It skip the step of creating a local port and connect to it.A ssh client will execute what ever command given behind
ProxyCommand
, and treat the output of that command as "raw" traffic. It is holding onto the local end point, and then start a ssh connection with it.Why one work the other does not?
The following command
basically means (1) connect to
inter
, then (2) oninter
, run commandnc final.com 22
.So
nc final.com 22
will connect to final.com port 22, print out all incoming traffic to stdout, and send all stdin to the other side. It is a "tunnel" between nc stdin/out and final.com port 22.Since
nc
is ran within the ssh session, all its stdout is passes back to the ssh client, as "raw" traffic. And the ssh client can pass traffic into nc stdin, which will end up at final.com port 22.Through the above "tunnel", local ssh client will start a ssh session with
final.com
directly.The following command
does not work with
ProxyCommand
because the out of it is not "raw" traffic from a ssh daemon. It is the stdout of a ssh client. Client talk to client means no business.Authentication with different ssh-key (OP original config)
Copy local
~/.ssh/id_ras.pub
toCopy local
~/.ssh/id_ras_2.pub
toBoth of the above will enable the following usage
Additional Checking
Use verbose
That should help identifying ssh problem.
Check nc
ProxcyCommand
is executingnc
oninter
. Check ifnc
is actually available oninter
.Check rsa key is setup properly
If different keys are to be used for
inter
andfinal
, following files should exist in local machineSince you can ssh to
inter
already, check key setup onfinal
. From your local machineYou should see content of
id_rsa_2.pub
there.