sftp/fish over double hop with different users

0

1

I am trying to set a ssh session over a double hop with different users on each hop to transfer files easily via fish/sftp.

my .ssh/config look like

Host middle_server
    User            foo
    Hostname        192.168.xx.xx

Host www.server.org target
    User            bar 
    HostName        www.server.org
    ProxyCommand    ssh middle_server nc %h %p 2> /dev/null

The connection to middle server is secure by rsa key, and direct from the middle server to the target with the bar user.

When I try to connect to the target, I got the following error:

[foo@localhost]$ ssh target
Enter passphrase for key '/home/foo/.ssh/id_rsa':
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

I can connect with the 2 following methods, so I guess the bar user is not used for the second hop, but I have no idea of what can be the cause.

[foo@localhost]$ ssh middle_server
Enter passphrase for key '/home/foo/.ssh/id_rsa':
[foo@middle_server ~]$ ssh bar@www.server.org
[bar@www ~]$

or

[foo@localhost]$ ssh -A -t foo@middle_server ssh -A bar@www.server.org
Enter passphrase for key '/home/foo/.ssh/id_rsa':
[bar@www ~]$

Any help will be greatly appreciated, thanks in advance!

Eric

Posted 2012-04-20T11:18:31.047

Reputation: 101

Can you try ForwardAgent yes for both? – user1686 – 2012-04-20T11:28:20.347

I added ForwardAgent yes for both both hosts, but still get the same error. – Eric – 2012-04-20T11:34:29.543

Answers

0

When you use ProxyCommand your local machine does the connection to target host. As you want to create the connection from middle to target, you should not use it (or should not use it with nc).

I would not use ForwardAgent since it is not totally secure (the user root on middle machine can encode data using your key using ssh-agent on your local machine).

So, one possible solution is to run ssh command in middle machine to target machine inside your ProxyCommand on local machine. For example:

ssh bar@doesnt_matter_host_here -o ProxyCommand='ssh foo@middle_server "ssh bar@www.server.org nc localhost 22"'

You can configure a host called "www_over_middle" with this ProxyCommand on your ~/.ssh/config:

Host www_over_middle
    User bar
    ProxyCommand ssh foo@middle_server "ssh bar@www.server.org nc localhost 22"

And then:

ssh www_over_middle

Álvaro Justen

Posted 2012-04-20T11:18:31.047

Reputation: 344

Asked: 2012-04-20T11:18:31.047

Viewed: 970 times

Active: 2012-05-06T20:37:24.617