I'm setting up some servers for a new system and decided to do things a little bit differently. I'm running into an issue that I just can't seem to get past though. My desired configuration is having one bastion server and N other servers that can be accessed via the bastion only—a pretty typical configuration.
The difference from what I normally do is that I would like to use signed SSH keys for authentication. This is pretty straight-forward for a single server but is throwing a wrench when using a bastion.
Right now, I have two identically configured servers. I can access them both directly using a signed SSH key. However, if I try to use one as a bastion/jump host, I can't connect to the other. My ~/.ssh/config
looks like this:
Host ssh.uswe2
HostName ssh.uswe2.example.com
User ec2-user
IdentityFile ~/.ssh/ssh-rsa-cert
Host *.uswe2 !ssh.uswe2
HostName %h.example.com
User ec2-user
ProxyCommand ssh -W %h:%p ssh.uswe2.example.com
IdentityFile ~/.ssh/ssh-rsa-cert
With this configuration, I can sign in to the bastion with ssh ssh.uswe2
, but when I try to connect to the other server with ssh server2.uswe2
I get the following error:
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
I can still connect directly to the server with ssh server2.uswe2.example.com
over the public network though so I know that the CA and cert are being loaded correctly.
My next thought was that maybe it was something to do with how the bastion is configured, but if I add my public key to ~/.ssh/authorized_keys
on both servers, I can connect without any issue.
I'm completely at a loss here and it's difficult to troubleshoot since I keep locking myself out of servers. I'm hoping someone can help me with the following:
- Is this configuration possible at all?
- My assumption right now is that there's a problem with my local ssh config. Is there a specific flag or option I'm missing?
- What should my next steps be to try to identify the issue?