I'm starting from a suggestion to use jvisualVM via SOCKS. However, I have a somewhat complex topology.
Starting from my laptop, I have two intermediate hosts to get through to reach the machine I wish to observe.
LaptopAtHome -> HostAtWork -> AWS-Bastion -> ThingToObserve
I can use ssh-add to handle the keys needed to make those hops. I am not supposed to leave any SSH private keys on the AWS-Bastion. How do I set all this up so that:
ssh -v -D 9696 thingtobserve.example.com
opens the wormhole from my laptop to the other end?
Also note that I need to use a different private key for the first hop than for the second and third. I have both keys loaded on the starting host with ssh-add.
Some research led me to try:
#!/bin/sh
noknown="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
ssh -A -t -t -v -L9999:localhost:9932 first ssh -A $noknown -t ec2-user@bastion ssh -A $noknown -t -D 9932 ec2-user@target
this fails with 'permission denied'.
I tried a simple first step:
ssh -t -v -A first ssh -A -t -v $noknown ec2-user@bastion
and the log shows that the the extra keys from the agent aren't being presented to 'bastion'. ssh -L shows them on my starting point.
EDIT
It turns out that part of the problem here is that one of the hosts at my office that I was trying to use as the first hop destination has some mysterious problem. If I switch to another, I can get a shell just fine, all the way across. What I can't get is a socks proxy.
A comment on the question suggests that multi-hopping a socks proxy is, in fact, conceptually hard, and so that's the real question of this question.
EDIT 2
this page makes a claim about multi-hop socks, but it looks to me as if there might be a typo in the port numbers; I'm experimenting.
Best Answer
I wouldn't try to use multihop proxy but using the intermediate host as a SSH relay for accessing the bastion. From there you can setup your SOCKS proxy.
Configure access to the host at work
First configure access to
host-at-work
:Configure access to the bastion
Then we configure the access to the bastion. We use
host-at-work
as a SSH relay for connecting to the bastion:Now you should be able to connect to bastion using:
Setting up a SOCKS proxy
Now that you can connect to bastion, you can setup the SOCKS proxy:
Want to connect to the last host on SSH?
Then you want to ask SSH to use the bastion as a relay:
You should then be able to: