Sftp/fish over double hop with different users

sftpssh

I am trying to set a ssh session over a double hop with different users on each hop to transfer files easily via fish/sftp.

my .ssh/config look like

Host middle_server
    User            foo
    Hostname        192.168.xx.xx

Host www.server.org target
    User            bar 
    HostName        www.server.org
    ProxyCommand    ssh middle_server nc %h %p 2> /dev/null

The connection to middle server is secure by rsa key, and direct from the middle server to the target with the bar user.

When I try to connect to the target, I got the following error:

[foo@localhost]$ ssh target
Enter passphrase for key '/home/foo/.ssh/id_rsa':
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

I can connect with the 2 following methods, so I guess the bar user is not used for the second hop, but I have no idea of what can be the cause.

[foo@localhost]$ ssh middle_server
Enter passphrase for key '/home/foo/.ssh/id_rsa':
[foo@middle_server ~]$ ssh bar@www.server.org
[bar@www ~]$

[foo@localhost]$ ssh -A -t foo@middle_server ssh -A bar@www.server.org
Enter passphrase for key '/home/foo/.ssh/id_rsa':
[bar@www ~]$

Any help will be greatly appreciated, thanks in advance!

Best Answer

When you use ProxyCommand your local machine does the connection to target host. As you want to create the connection from middle to target, you should not use it (or should not use it with nc).

I would not use ForwardAgent since it is not totally secure (the user root on middle machine can encode data using your key using ssh-agent on your local machine).

So, one possible solution is to run ssh command in middle machine to target machine inside your ProxyCommand on local machine. For example:

ssh bar@doesnt_matter_host_here -o ProxyCommand='ssh foo@middle_server "ssh bar@www.server.org nc localhost 22"'

You can configure a host called "www_over_middle" with this ProxyCommand on your ~/.ssh/config:

Host www_over_middle
    User bar
    ProxyCommand ssh foo@middle_server "ssh bar@www.server.org nc localhost 22"

And then:

ssh www_over_middle

Related Solutions

SFTP – How to Perform Over Double Server Hop

In essence, without the GUI or other conveniences:

ssh -o ProxyCommand='ssh myfirsthop nc -w 10 %h %p' mydestination

You can make this default by editing the config file, by default ~/.ssh/config

Host mydestination, mydest2, mydest3
ProxyCommand ssh myfirsthop nc -w 10 %h %p

This then allows you to do

ssh mydestination
scp mydest2:file.txt ./
scp file.txt mydest3:/tmp/

Of course, with that kind of magic you can easily

mkdir -pv /tmp/mydest3tmp          # create mountpoint
sshfs mydest3:/tmp /tmp/dest3tmp/  # mount :)

On windows, you'd use WinSCP which comes with (I think IIRC) PLINK (from Putty suite). I suppose the default location for the ssh config file is different (I'd have to google for it), but I'm sure it works more or less the same.

Note that the only thing you need for this to work is 'netcat (nc)' on the middle server (first hop). It is an ubiquitous tool on linux/UNIX[1]; It is quite easy to build a statically linked version that should work if you can copy it there in the first place.

[1] note that there are some flavours, so the -w option might need to be dropped/spelled differently

Linux – Did I just send the private ssh key

No, you didn't send your private key. What SSH does here is just group the public and private keys by their name. For example, id_rsa refers to the keypair id_rsa and id_rsa.pub.

"Offering public key" means that it sends your id_rsa.pub to the server. The server then generates an encrypted auth token using the public key.

When it says "trying private key", it will try to decrypt that authentication token with the corresponding private key, and send that back to the server for verification.

Best Answer

Related Solutions

SFTP – How to Perform Over Double Server Hop

Linux – Did I just send the private ssh key

Related Question