Ssh – Correct ssh config file settings to tunnel to a 3rd machine

sshssh-configssh-tunneling

I'm trying to tunnel to a server via a bridge server. So far, I've been able to get it working from the command shell properly using the following command:

ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com

But I've been trying to wrap this into my ~/.ssh/config file and I have troubles. I've tried:

Host axp
  User          remote_userid
  HostName      remoteserver.com
  IdentityFile  ~/.ssh/id_rsa.eric
  ProxyCommand ssh -A -t bridge_userid@bridge_userid.com ssh -A remote_userid@%h

But when I do, I get the following error message from remoteserver.com and I'm not sure what is causing it:

ksh: SSH-2.0-OpenSSH_6.8^M: not found

I know that when I log into remoteserver.com , my shell is /usr/bin/ksh.

I've tried to add path arguments to the ssh commands in the config file, but it made no difference.

Any ideas what it can be?

Best Answer

Jakuje's answer is right, but since OpenSSH 7.3, you can now use -J ProxyJump which is easier. See my notes:

OpenSSH 7.3 or above

Use ProxyJump. As explained in the manual:

-J [user@]host[:port]
Connect to the target host by first making an ssh connection to the jump host and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive.

ProxyJump ~/.ssh/config example

~/.ssh/config

Host server1
  Hostname server1.example.com
  IdentityFile ~/.ssh/id_rsa

Host server2_behind_server1
  Hostname server2.example.com
  IdentityFile ~/.ssh/id_rsa
  ProxyJump server1

Connect with

ssh server2_behind_server1 -v

Add -v for verbose output

ProxyJump -J Command line example

~/.ssh/config

Host server1
  Hostname server1.example.com
  IdentityFile ~/.ssh/id_rsa

Host server2
  Hostname server2.example.com
  IdentityFile ~/.ssh/id_rsa

Connect with

ssh server2 -J server1 -v

Or use -o

ssh server2 -o 'ProxyJump server1' -v

OpenSSH 5.4 or above

Use ProxyCommand with -W

~/.ssh/config

Host server1
  Hostname server1.example.com
  IdentityFile ~/.ssh/id_rsa

Host server2
  Hostname server2.example.com
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand ssh server1 -W %h:%p

Connect with

ssh server2 -v

Or use -o

ssh server2 -o 'ProxyCommand ssh server1 -W %h:%p' -v

OpenSSH bellow 5.4

~/.ssh/config

Host server1
  Hostname server1.example.com
  IdentityFile ~/.ssh/id_rsa

Host server2
  Hostname server2.example.com
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand ssh server1 nc %h %p 2> /dev/null

Connect with:

ssh server2 -v

Or use -o

ssh server2 -o 'ProxyCommand ssh server1 nc %h %p 2> /dev/null' -v

Sources

-J added in OpenSSH 7.3

  • ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".

-W added in OpenSSH 5.4

  • Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618
Related Question