4

So I'm essentially trying to do this:

ssh bob2@35.192.152.35 -t ssh bob2@test-vm

the above works fine if I just put it into the terminal, however I am having a hard time trying to replicate it via the .ssh config file.

Here's what I have inside the config file:

Host bastion
     HostName 35.192.152.35
     User bob2

Host test-vm
     User bob2
     FOrwardAgent yes
     ProxyCommand ssh bastion nc %h %p 2> /dev/null

However it comes up with an error saying "permission denied", invalid public key file? I came up with the above from this post: https://unix.stackexchange.com/questions/124078/how-to-ssh-to-a-server-using-another-server-with-key-from-the-second-server

Somehow it worked for the guy, but doesn't seem to work for me. I also tried allowing agent forwarding and TCP forwarding in the sshd_chroot config as well on all parties (origin, bastion, and server), but that didn't make a difference.

if I force specify the identity paths:

Host bastion
     HostName 35.192.152.35
     User bob2
     IdentityFile /Users/bob/.ssh/id_rsa

Host test-vm
     User bob2
     FOrwardAgent yes
     ProxyCommand ssh bastion nc %h %p 2> /dev/null
     IdentityFile /home/bob2/.ssh/id_ed25519

Then it comes up with the same error, in addition to saying that it couldn't find the directory "/home/bob2/.ssh/id_ed25519"

Anyone got any ideas?

Dmytro Lysak
  • 141
  • 1
  • 2

3 Answers3

1

Once you realize that bastions are for defeating network firewalls and not for storing keys, you can change this into a 2 command solution with minimal config.

On A, your local machine, make sure you have a ssh-agent running.

Do a one time command to B, where B has the following config:

Host B
        ForwardAgent yes
        User proxyuser

And run the following command:

$ ssh B ssh-add # and possibly a reference to a non-standard key

At this point your local ssh-agent will have the remote key in its cache.

Afterwards a plain -J or ProxyJump to C will 'just work':

Host C
        User user
        ProxyJump proxyuser@B

$ ssh C

With the slight inconvenience of an extra one-time command, you can keep your config pretty sane IMO.

You could ask yourself the question if storing the key on the bastion really provides you with extra safety if it's going to get cached on your local machine anyway. Of course there is a slight benefit of not having the key stored on disk, but if your local machine is hacked there is not much difference in reading a file, or communicating with a ssh-agent loaded with keys.

hbogert
  • 450
0

It seems that you want your config let test-vm look for key in bastion. So I suggest:

  1. Copy key file to bob2’s .ssh folder in bastion.
  2. add ProxyCommand with ssh-add in your config.
3735943886
  • 71
  • 1
  • 6
-1

Below works for me ... Almost same as yours except I do specify the IP address of final destination (maybe not relevant in your case) and I HAD TO COPY the key from the bastion to my local host as my ssh_config is finding key files here not on the bastion midway :

==== added to .ssh/config ====
Host mybastion
    HostName 133.35.41.9
    User bastuser
    IdentityFile /Users/bchapman/.ssh/bast_priv.key

Host mytarget
    HostName 109.0.1.38
    ProxyCommand ssh -q -W %h:%p mybastion
    User targuser
    IdentityFile /Users/bchapman/.ssh/targ_priv.key
==============

After that I can ssh mytarget, scp localfile mytarget:, etc just fine

Bruce Chapman
  • 1