SSH ProxyJump with key on jump host

ssh

I'm trying to connect to a server through a jump host. I usually do this by first logging in to the jump host and using a key which is deposited there to log in to the server. Agent forwarding is disabled to the jump host.
I've found a shorthand which works:

ssh -t jump ssh server

But I'd like to make use of ProxyJump in .ssh/config.

Whenever I add a directive, it seems like it's trying to log in to the server with the key on my client and not the key on the jump host. How can I change that?

Best Answer

This is how the ProxyJump works -- it logs you to the first host, initiates IO forwarding and then logs you to the second host with the credentials in your local machine. This is the safer way since your credentials never leave your machine nor does the agent forwarded socket.

Move the key from the jumpbox to your machine or set up the authentication on the second host to accept your local credential/keys.

There is no simple way around that since the openssh developers are not interested in promoting bad security practices.

Related Solutions

SSH host key keeps changing

This is definitely not normal. Given your symptoms, I think you're experiencing an IP address conflict. There are two machines on your network with the same IP address, and one of them is the server you're trying to reach. Sometimes you're reaching the expected machine and all is well. Sometimes you're reaching another machine which has a different SSH key and your connection is rejected.

When there's an IP address conflict, it's common that a router locks in the route to one IP address until a cache expires, then queries the route again and updates it to match whoever responds first, producing somewhat random results. There's nothing preventing the switchover from happenning in the middle of a TCP connection.

Sophisticated routers raise an alert when IP conflicts happen, so your network administrator may already be tracking this. If you're root your server, you can resolve it by picking an unassigned IP address. If you're getting your IP address through DHCP, contact the DHCP administrator.

SSH LocalForward — Jumping Hosts

This ~/.ssh/config will ProxyJump through jump to the target, and bind a port all the way to target:

Host jump
  HostName      <server-ip>
  User          user-name
  IdentityFile  ~/.ssh/key.pem
  LocalForward  8888 localhost:8888
Host target
  HostName      <server-ip>
  User          user-name
  IdentityFile  ~/.ssh/key.pem
  ProxyJump     jump
  LocalForward  8888 localhost:8888

Usage:

ssh target

ssh -v target # see verbose debugging

Best Answer

Related Solutions

SSH host key keeps changing

SSH LocalForward — Jumping Hosts

Related Question