Using the SSH ProxyCommand
directive in the client ~/.ssh/config
file it is possible to connect to a SSH server through a different SSH server acting as a jump host.
Is there a similar configuration for the SSH server side? E.g., when the user logs on to a jump machine with a certain authorized key, I want this SSH connection to be automatically forwarded to another machine also running sshd
.
Best Answer
You can specify a command that is executed whenever someone logs in using a ssh key.
Edit the file
~/.ssh/authorized_keys
. Prepend every key you want to forward with acommand=ssh user@target
.This has to be done for every user. Since this is done using a user configuration file, every user may change this. If you trust your users (or you are the only user) then this is ok. You can also prevent users from changing this by not giving them any other means to access the shell on this machine.
For more information read the
sshd
man page. Search for theAUTHORIZED_KEYS FILE FORMAT
section, and then forcommand="command"
.Alternatively: you can force a command using a
ForceCommand
in/etc/ssh/sshd_config
. This option is more secure as it is enforced by sshd, and only users with root privileges can change that.For more information read the
sshd_config
man page. Search forForceCommand
.