-1

I'm fairly sure this will have been asked before, I have found similar questions but I do not fully understand how to apply them to my situation. So, sorry for asking again.

We have a number of servers located in a data centre which have firewall rules only allowing SSH connections to them from our work external IP. They also only accept authentication with SSH keys. Can I connect to one of these servers via another machine at work and have the key passed on from my machine (at home) for authentication?

Is this an SSH tunnel, or is that something else?

Thanks for your help.

Luke Cousins
  • 377
  • 1
  • 3
  • 18

1 Answers1

5

You can use the ssh ProxyCommand functionality for this.

Assume serverA is your jump host, and serverB is the ultimate server you want to connect to. Add the following to your ~/.ssh/config file:

Host serverB 
  Hostname serverB.example.com
  User jimbob
  ProxyCommand ssh serverA.example.com nc %h %p 2> /dev/null

Then from your workstation, just issue this command:

$ ssh serverB
EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Thanks for the reply and thanks for explaining how to connect as that's what I didn't understand in http://serverfault.com/questions/255613/ssh-directly-through-another-server. This seems to work perfectly for servers where I login with a password, but it doesn't seem to be passing on my public key to the final server. – Luke Cousins Mar 28 '14 at 19:27
  • There's no reason this won't work with key auth. If it's not working, there's something else going on. With the above command, there is no "passing on your key", as happens with ssh-agent forwarding. This is actually redirecting the network connection directly to the destination server. – EEAA Mar 28 '14 at 19:30
  • That's very strange. Please see [this image](http://tinypic.com/r/wva73n/8) which shows initially connecting to the "poodle" server directly where the key authentication works. Then I exit and try again through the alias created in the config file and it fails (the key is used to connect to the "serverA" server without a password). See [this image](http://tinypic.com/r/2ptawyd/8) showing my config file. I really appreciate your help. – Luke Cousins Mar 28 '14 at 19:44
  • Is the username you use the same on both the jump host as well as your destination server? – EEAA Mar 28 '14 at 19:46
  • No, it is not. Does it need to be? I could create a new account on the jump host with the same username. Or can we do it without doing that? Thanks. – Luke Cousins Mar 28 '14 at 19:50
  • See my edit - you likely just need to specify (in your `~/.ssh/config`) the username you want to connect to serverB as. – EEAA Mar 28 '14 at 19:51
  • Thanks, I just added that but it doesn't seem to make a difference. I've set the user for the serverA in the ProxyCommand line as user@serverA. I presume that's ok as it seemed to work. – Luke Cousins Mar 28 '14 at 20:02
  • Yep, certainly. – EEAA Mar 28 '14 at 20:03
  • Sorry if my last post wasn't clear, the user@serverA bit seemed to work ok, but I still cannot seem to connect to serverB even with the User line. Do you have any other ideas? Thank you. – Luke Cousins Mar 28 '14 at 20:12
  • No other ideas. It works with key auth (I use this exact config all the time). You'll need to dig into client and server logs to see what's going on. – EEAA Mar 28 '14 at 20:13
  • Ok, thanks. Despite having not quite got this working, I'm so close and I don't think it's anything wrong with your config, so I'm going to mark this the accepted answer now anyway. Thanks for all your help. – Luke Cousins Mar 28 '14 at 20:17
  • Sounds good. Good luck! – EEAA Mar 28 '14 at 20:18
  • Sorry for being a pain, it turned out to be a firewall issue after all! The sever I was proxying through had a different external IP to our main IP! Not sure how I managed to overlook this. For anyone else reading, you can use something like `ssh -vvv serverB` to get some debug info on the SSH process... – Luke Cousins Apr 01 '14 at 21:21