SSH – Setting Up SSH Config File with id_rsa Through Tunnel

linuxrsasshssh-tunnel

I've been struggling to set up a valid configuration to open a connection with a second machine, passing through another one, and using an id_rsa (which requests me a password) to connect to the third machine.

I've asked this question in another forum, but I've received no answer that could be considered very helpful.

The problem, better described, goes as follows:

Local machine: user1@localhost
Intermediary machine: user1@inter
Remote target: user2@final

I'm able to do the entire connection using pseudo-tty:

ssh -t inter ssh user2@final

(this will ask me the password for the id_rsa file I have in machine "inter")

However, for speeding things up, I'd like to set my .ssh/config file, so that I can simply connect to machine "final" using:

ssh final

What I've got so far — which does not work — is, in my .ssh/config file:

Host inter
    User user1
    HostName inter.com
    IdentityFile ~/.ssh/id_rsa

Host final
    User user2
    HostName final.com
    IdentityFile ~/.ssh/id_rsa_2
    ProxyCommand ssh inter nc %h %p

The id_rsa file is used to connect to the middle machine (this requires me no password typing), and id_rsa_2 file is used to connect to machine "final" (this one requests a password).

I've tried mixing up some LocalForward and/or RemoteForward fields, and putting the id_rsa files in both first and second machines, but I could not seem to succeed with no configuration whatsoever.

P.S.: the thread I've tried to get some help from:

http://www.linuxquestions.org/questions/linux-general-1/proxycommand-on-ssh-config-file-4175433750/

Best Answer

METHOD 1 (use ssh-key on inter)

If you want to retain the authentication flow

local -- authenticate --> inter -- authenticate (ask password) --> final

This cannot be done with .ssh/config proxyhost.

What you need is bash shell alias (I hope you are using bash).

In ~/.bashrc, add following line

alias ssh-final='ssh -t inter ssh user2@final.com'

In command prompt, just type following

ssh-final

final section in ~/.ssh/config is not used.

Connection Details(1)

ssh -t inter ssh user2@final.com can be view as follow

local# ssh inter
inter# ssh user2@final.com

local is only "talking" to inter. There is no direct or indirect ssh connection between local and final. local is just displaying the output of ssh user2@final.com.

METHOD 2 (use ssh-key on local)

Authentication with same ssh-key

Host inter
    User user1
    HostName inter.example.com

Host final
    User user2
    Hostname <final.com / final IP Address>
    Port 22
    ForwardAgent yes
    ProxyCommand ssh inter nc %h %p

Copy local ~/.ssh/id_ras.pub to

/home/user1/.ssh/authorized_keys in `inter`
/home/user2/.ssh/authorized_keys in `final`

Connection Details(2)

ssh tunneling

Before we go into detail of ProxyCommand, lets look at the following example

Step 1, on terminal window 1

local# ssh inter -L 2000:final.com:22

Step 2, on terminal window 2

local# ssh localhost -p 2000

In terminal 1, a tunnel is setup between local port 2000 and final.com port 22. Anything sent to local port 2000 will be forward to final.com port 22 and vice versa.

In terminal 2, ssh connect to local port 2000, but actually is communicating with final.com port 22, which is the sshd.

With tunneling, local ssh client in Step 2 is connected with final.com sshd directly.

The "output" of local port 2000, is "raw" ssh daemon traffic.

Common usage of such tunnel is to access internal web server or email server. Following is example for web server

local# ssh inter -L 2000:final.com:80

In the browser use following URL

http://localhost:2000

The two end points of the tunnel are local port 2000, and final.com port 80.

Traffic coming in and out of tunnel end point "AS IS". Lets call that "raw" traffic.

ProxyCommand

Host final
    User user2
    Hostname <final.com / final IP Address>
    Port 22
    ForwardAgent yes
    ProxyCommand ssh inter nc %h %p

The ProxyCommand take it one step further. It skip the step of creating a local port and connect to it.

A ssh client will execute what ever command given behind ProxyCommand, and treat the output of that command as "raw" traffic. It is holding onto the local end point, and then start a ssh connection with it.

Why one work the other does not?

The following command

ssh inter nc final.com 22

basically means (1) connect to inter, then (2) on inter, run command nc final.com 22.

nc - arbitrary TCP and UDP connections and listens

So nc final.com 22 will connect to final.com port 22, print out all incoming traffic to stdout, and send all stdin to the other side. It is a "tunnel" between nc stdin/out and final.com port 22.

Since nc is ran within the ssh session, all its stdout is passes back to the ssh client, as "raw" traffic. And the ssh client can pass traffic into nc stdin, which will end up at final.com port 22.

Through the above "tunnel", local ssh client will start a ssh session with final.com directly.

The following command

ssh -t inter ssh user2@final.com

does not work with ProxyCommand because the out of it is not "raw" traffic from a ssh daemon. It is the stdout of a ssh client. Client talk to client means no business.

Authentication with different ssh-key (OP original config)

Host inter
    User user1
    HostName inter.com
    IdentityFile ~/.ssh/id_rsa

Host final
    User user2
    HostName final.com
    IdentityFile ~/.ssh/id_rsa_2
    ProxyCommand ssh inter nc %h %p

Copy local ~/.ssh/id_ras.pub to

/home/user1/.ssh/authorized_keys in `inter`

Copy local ~/.ssh/id_ras_2.pub to

/home/user2/.ssh/authorized_keys in `final`

Both of the above will enable the following usage

local# ssh final

Additional Checking

Use verbose

local# ssh -v final

That should help identifying ssh problem.

Check nc

ProxcyCommand is executing nc on inter. Check if nc is actually available on inter.

local# ssh inter
inter# nc final.com 22

Check rsa key is setup properly

If different keys are to be used for inter and final, following files should exist in local machine

local# ls ~/.ssh
id_rsa id_rsa_2 id_rsa.pub id_rsa_2.pub

Since you can ssh to inter already, check key setup on final. From your local machine

local# ssh -t inter ssh user2@final
final# cat .ssh/authorized_keys

You should see content of id_rsa_2.pub there.

Related Question