I want to ssh to a remote private host using an intermediate (bastion, jump, gateway) server. This command works fine:
ssh gateway ssh private
With this ~/.ssh/config setup:
Host gateway
User gateway-user
HostName XX.XX.XX.XX
RequestTTY force
How can I implement this in my ~/.ssh/config? I've tried numerous iterations of ProxyCommand with no luck. I want to use the identity file located on gateway host to access private hosts. I want to be able to do:
ssh private
I am aware of the technique described here, but it requires my public key to be on all the private hosts, but I don't want that:
http://www.lorrin.org/blog/2014/01/10/one-liner-ssh-via-jump-box-using-proxycommand/
Answer
First, configure your ssh keys on the gateway so you can ssh to private. Then on your client, create a separate private/public key pair that you use to authenticate on the gateway. E.g. ssh-keygen -t rsa -f id_gateway
.
Then on the gateway, use the command=
syntax in your authorized_keys file. For example, your entry might look like this:
command="sh -c 'ssh private ${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa AAAAB3....
Search the sshd manpage for command="command"
for more info. Be sure to add the id_gateway.pub key to this line. Then in your .ssh/config
on your client, add an entry like this:
Host private
User gateway-user
Hostname xxx.xxx.xxx.xxx
IdentitiesOnly Yes
IdentityFile ~/.ssh/id_gateway
Now, from your client you should be able to ssh private
and get directly in. This even works for scp
and sftp
.
Extra Credit
If you want to use this for multiple servers, but only want to manage one public key on the gateway, you can use the following trick. sshd
by default only allows certain variables to be received from the local environment. One of these is LC_PAPER
which is rarely used for anything. So we can use it to pass the server's hostname as follows:
First, change the public key entry to
command="sh -c 'ssh $LC_PAPER ${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa AAAAB3...
Then on your client, add a function to your .bashrc
file (or whatever shell you use) that looks like this:
ssh_proxy() {
LC_PAPER=$1 /usr/bin/ssh $*
}
Then make an alias to if you want:
alias ssh=ssh_proxy
Finally, add Host
sections to your .ssh/config
like the one shown above. for example:
Host private2
User gateway-user
Hostname xxx.xxx.xxx.xxx
IdentitiesOnly Yes
IdentityFile ~/.ssh/id_gateway
Now you should be able to do ssh private
and ssh private2
with just the one public key on the gateway.
No comments:
Post a Comment