There are quite a few posts out there on how to make multi-hop SSH easier. Often this is called SSH’ing via jump box or proxy host.
Most of them work via netcat (nc
), which is a bit finicky. A better, less mentioned, option is the SSH’s -W
flag. Implemented in your ~/.ssh/config
, it looks like this:
Host my_server IdentityFile server_key.pem HostName 172.31.4.82 User username ProxyCommand ssh -i key_for_jumpbox.pem -W %h:%p jumpbox_user@jump.box.host
Now just ssh my_server
and you’re off to the races! For a quick-n-dirty one-liner without editing your SSH config, it looks like this:
ssh -i server_key.pem -o "ProxyCommand ssh -W %h:%p -i key_for_jumpbox.pem jumpbox_user@jump.box.host" username@172.31.4.82
A very clever solution described on the Gentoo Wiki enables a simple syntax: ssh host1+host2
. But it gets uglier with differing usernames: ssh user1%host1+host2 -l user2
. Also it uses netcat rather than -W
and doesn’t appear to play nicely with needing to specify key files with -i
. A little monkeying could solve those problems. A project for a future day.
On a another note, I find it useful to alias ssh_unsafe
and scp_unsafe
as follows:
alias ssh_unsafe="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" alias scp_unsafe="scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
Handy when connecting to a box for which you do not care to remember or verify the host key.
Thanks! That helped me.
One thing I was confused about was the key files. I wasn’t sure which files are stored on which machines – the jumper box, or workstation. I already had added my public key (id_rsa.pub) from my workstation to my authorized_keys on the workstation, and the public key from my account on the jumper box to my authorized_keys on the destination server. Then I left out mention of key files in the config block you provided. At first I was getting
Permission denied (publickey).
Killed by signal 1.
But then I appended my workstation id_rsa.pub to my authorized_keys on the destination server, and now it works for me.
Thanks again.
This was a HUGE help for me just now. Thanks!