There are quite a few posts out there on how to make multi-hop SSH easier. Often this is called SSH’ing via jump box or proxy host.<\/p>\n
Most of them work via netcat ( Now just A very clever solution<\/a> described on the Gentoo Wiki enables a simple syntax: On a another note, I find it useful to alias Handy when connecting to a box for which you do not care to remember or verify the host key.<\/p>\n","protected":false},"excerpt":{"rendered":" There are quite a few posts out there on how to make multi-hop SSH easier. Often this is called SSH’ing via jump box or proxy host. Most of them work via netcat (nc), which is a bit finicky. A better, less mentioned, option is the SSH’s -W flag. Implemented in your ~\/.ssh\/config, it looks like […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[89,88],"_links":{"self":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/311"}],"collection":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/comments?post=311"}],"version-history":[{"count":3,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/311\/revisions"}],"predecessor-version":[{"id":314,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/311\/revisions\/314"}],"wp:attachment":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/media?parent=311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/categories?post=311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/tags?post=311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}nc<\/code>), which is a bit finicky<\/a>. A better, less mentioned, option is the SSH’s -W<\/code> flag. Implemented in your ~\/.ssh\/config<\/code>, it looks like this:<\/p>\n\r\nHost my_server\r\n IdentityFile server_key.pem\r\n HostName 172.31.4.82\r\n User username\r\n ProxyCommand ssh -i key_for_jumpbox.pem -W %h:%p jumpbox_user@jump.box.host\r\n<\/pre>\n
ssh my_server<\/code> and you’re off to the races! For a quick-n-dirty one-liner without editing your SSH config, it looks like this:<\/p>\nssh -i server_key.pem -o \"ProxyCommand ssh -W %h:%p -i key_for_jumpbox.pem jumpbox_user@jump.box.host\" username@172.31.4.82<\/code><\/p>\nssh host1+host2<\/code>. But it gets uglier with differing usernames: ssh user1%host1+host2 -l user2<\/code>. Also it uses netcat rather than -W<\/code> and doesn’t appear to play nicely with needing to specify key files with -i<\/code>. A little monkeying could solve those problems. A project for a future day.<\/p>\nssh_unsafe<\/code> and scp_unsafe<\/code> as follows:<\/p>\n\r\nalias ssh_unsafe=\"ssh -o UserKnownHostsFile=\/dev\/null -o StrictHostKeyChecking=no\"\r\nalias scp_unsafe=\"scp -o UserKnownHostsFile=\/dev\/null -o StrictHostKeyChecking=no\"\r\n<\/pre>\n