Jan 102014
 

There are quite a few posts out there on how to make multi-hop SSH easier. Often this is called SSH’ing via jump box or proxy host.

Most of them work via netcat (nc), which is a bit finicky. A better, less mentioned, option is the SSH’s -W flag. Implemented in your ~/.ssh/config, it looks like this:

Host my_server
  IdentityFile server_key.pem
  HostName 172.31.4.82
  User username
  ProxyCommand ssh -i key_for_jumpbox.pem -W %h:%p jumpbox_user@jump.box.host

Now just ssh my_server and you’re off to the races! For a quick-n-dirty one-liner without editing your SSH config, it looks like this:

ssh -i server_key.pem -o "ProxyCommand ssh -W %h:%p -i key_for_jumpbox.pem jumpbox_user@jump.box.host" username@172.31.4.82

A very clever solution described on the Gentoo Wiki enables a simple syntax: ssh host1+host2. But it gets uglier with differing usernames: ssh user1%host1+host2 -l user2. Also it uses netcat rather than -W and doesn’t appear to play nicely with needing to specify key files with -i. A little monkeying could solve those problems. A project for a future day.

On a another note, I find it useful to alias ssh_unsafe and scp_unsafe as follows:

alias ssh_unsafe="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
alias scp_unsafe="scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

Handy when connecting to a box for which you do not care to remember or verify the host key.

  2 Responses to “One-liner SSH via jump box using ProxyCommand”

  1. Thanks! That helped me.

    One thing I was confused about was the key files. I wasn’t sure which files are stored on which machines – the jumper box, or workstation. I already had added my public key (id_rsa.pub) from my workstation to my authorized_keys on the workstation, and the public key from my account on the jumper box to my authorized_keys on the destination server. Then I left out mention of key files in the config block you provided. At first I was getting

    Permission denied (publickey).
    Killed by signal 1.

    But then I appended my workstation id_rsa.pub to my authorized_keys on the destination server, and now it works for me.
    Thanks again.

     
  2. This was a HUGE help for me just now. Thanks!

     

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Post comment

What is Persona?