Re: Multi Hopping by sshserver proxy with different keys


If i understand your request, fully...

I'll give you some info for OpenSSH (which you could use via Cygwin
on your windows client), but i don't know if PuTTY has similar
capability. (clearly, you've discovered plink.exe can do similar
things) (while this info may not apply directly to your problem, i
figure it'll be of general interest)

Host bastion
IdentityFile ~/.ssh/bastionkey
User bastionuser

Host target
IdentityFile ~/.ssh/targetkey
User targetuser
ProxyCommand ssh bastion nc target 22

If you have both keys on the client, a

ssh target

will "do the right thing(tm)" here by finding the target directive,
indirectly resolving to a bastion connection using the bastion key,
then piggy-backing on the established bastion connection's netcat
link to the target and applying the target key.

OpenSSH 5.5 or so has a builtin 'netcat' like facility using
'-W target:port', i haven't started using that yet, as my normal
systems (Debian Lenny) don't have that version.

Here's some hackery i have in my ~/.ssh/config file:

# Multi-(user+host) arbitrary gateway hopping
# usera%hosta!userb%hostb[!userc%hostc...]
# STILL requires using '-l userd' for destination user on command line (i.e. we ignore last
# user in specification
# e.g. ssh -l root sdowdy@zia!root@umds0-vgw
Host *!*
GatewayPorts no
ProxyCommand $(h="%h";p="%p";ruh=${h##*\!};rh=${ruh##*\%%};ru=${ruh%%\%%*};ru=${ru:-${USER}};luh=${h%%\!*};lh=${luh##*\%%};lu=${luh%%\%%*};lu=${lu:-${USER}};echo ssh -l ${lu} ${lh} "\`type -p netcat nc | head -1\` ${rh} 22")
# h=host, p=port (expanded by openssh cmdline
# ruh,rh,ru=remote user+host, remote host, remote user (successively pulled off right-hand-side)
# luh,lh,lu=local user+host, local host, local user (pulled off left-hand-side)
This directive allows you, if you use a Bourne-Shell/posix-shell to
hop via an arbitrary number of [user@]host[!...] connections via
iterative deconstruction of the target specified within openssh.
If you have any required keys in your client ssh-agent, they'll be
appropriately applied down the chain. (be careful of shell
meta-character expansion of '!' -- I chose that after initially
having chosen '::' as the gateway delimiterd (DECnet style
poor-mans routing), and finding that while it worked for 'ssh',
it DOESN'T work for scp. '!' works for both ssh and scp.
You can use some other separator like "_", which isn't valid

the \`type -p netcat nc | head -1\` is simply used to work on SLES
and *ever other* linux distro, since SLES uses 'netcat' (nc on SLES
is something else). That whole thing can be replaced with simply
'nc' if you don't need to deal with SLES. (and that's the primary
requirement for a Bourne-alike shell.

If i'm using the "bastion" (gateway) host frequently for multiple
connections (i have a number of systems that have a backend RFC1918
network of compute nodes or data servers), i may use ControlMasters

Host gw1-* gw2-*
User blah
NumberOfPasswordPrompts 1
ConnectTimeout 60
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p.sock

That way, i only authenticate once on the gateway host and use that
ControlMaster connection as the piggyback for subsequent connections
to that gateway and any hosts residing behind it. This is mainly
useful on systems where i'm required to enter a password, instead
of using authorized-key trust.


Stephen Dowdy - Systems Administrator - NCAR/RAL
303.497.2869 - sdowdy@xxxxxxxx -

Relevant Pages

  • Re: Multi Hopping by sshserver proxy with different keys
    ... The problem is that my target key is on the gateway bastion host! ... I've never succeeded in having key exchange between bastion ...
  • Re: Multi Hopping by sshserver proxy with different keys
    ... don't want to do a command like "ssh bastion ssh target" since I'd like ... to use the bastion in a proxy way. ... You could pass the passphrase as a parm from the Windows host if your ...
  • Multi Hopping by sshserver proxy with different keys
    ... ssh-agents but with different keys from caller to proxy and from proxy ... is a putty/window station with pagent running well with the bastion ... is a linux box with a ssh-agent running well with the target. ...
  • RE: SMBRelay issues
    ... Run Windows NT or 2000 on one, ... Linux system to ARP route IP traffic to the default network segment gateway. ... What your are actually doing is telling the target ...
  • RE: Alternate home for zOS FTP Client ...?
    ... We do that in our GATEWAY statements. ... Packets for the target HOST with IP will be routed via network ... Subject: Re: Alternate home for zOS FTP Client ...? ...