Ssh – Multi-hop socks proxy, how to

sshssh-tunneling

I'm starting from a suggestion to use jvisualVM via SOCKS. However, I have a somewhat complex topology.

Starting from my laptop, I have two intermediate hosts to get through to reach the machine I wish to observe.

LaptopAtHome -> HostAtWork -> AWS-Bastion -> ThingToObserve

I can use ssh-add to handle the keys needed to make those hops. I am not supposed to leave any SSH private keys on the AWS-Bastion. How do I set all this up so that:

ssh -v -D 9696 thingtobserve.example.com

opens the wormhole from my laptop to the other end?

Also note that I need to use a different private key for the first hop than for the second and third. I have both keys loaded on the starting host with ssh-add.

Some research led me to try:

#!/bin/sh

noknown="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

ssh -A -t -t -v -L9999:localhost:9932 first ssh -A $noknown -t ec2-user@bastion ssh -A $noknown -t -D 9932 ec2-user@target

this fails with 'permission denied'.

I tried a simple first step:

ssh -t -v -A first ssh -A -t -v $noknown ec2-user@bastion

and the log shows that the the extra keys from the agent aren't being presented to 'bastion'. ssh -L shows them on my starting point.

EDIT

It turns out that part of the problem here is that one of the hosts at my office that I was trying to use as the first hop destination has some mysterious problem. If I switch to another, I can get a shell just fine, all the way across. What I can't get is a socks proxy.

A comment on the question suggests that multi-hopping a socks proxy is, in fact, conceptually hard, and so that's the real question of this question.

EDIT 2

this page makes a claim about multi-hop socks, but it looks to me as if there might be a typo in the port numbers; I'm experimenting.

Best Answer

I wouldn't try to use multihop proxy but using the intermediate host as a SSH relay for accessing the bastion. From there you can setup your SOCKS proxy.

Configure access to the host at work

First configure access to host-at-work:

Host host-at-work
User myself

Configure access to the bastion

Then we configure the access to the bastion. We use host-at-work as a SSH relay for connecting to the bastion:

Host bastion
User myself
ProxyCommand ssh host-at-work -W bastion:22

Now you should be able to connect to bastion using:

ssh bastion

Setting up a SOCKS proxy

Now that you can connect to bastion, you can setup the SOCKS proxy:

ssh bastion -D 9932 -N

Want to connect to the last host on SSH?

Then you want to ask SSH to use the bastion as a relay:

Host thing-to-observe
User myself
ProxyCommand ssh bastion -W thing-to-observe:22

You should then be able to:

ssh thing-to-observe

Best Answer

Configure access to the host at work

Configure access to the bastion

Setting up a SOCKS proxy

Want to connect to the last host on SSH?

Related Solutions

ssh systemd proxy socks socket-activation – Fix On-Demand SSH Socks Proxy with Systemd User Units

Related Question