ssh via multiple hosts

Question

To get to my machine in my office, at the moment I am doing this:

me@home:~$ ssh unix.university.com
me@unix:~$ ssh unix.department.univeristy.com
me@unix.department:~$ ssh office-machine.department.university.com
me@office-machine:~$ echo "This is very annoying"

Is there an easy way of automating this process, perhaps a single command that I can use at my end?

related: How do I SSH to machine A via B in one command? – Trevor Boyd Smith Mar 06 '19 at 14:30 — Trevor Boyd Smith, Mar 06 '19 at 14:30

score 39 · Answer 1 · answered Nov 21 '11 at 13:48

39

Yes, there is a great way to do that using ssh ProxyCommand and netcat

Put something like this in your .ssh/config

Host *.department.university.com
User me
ForwardAgent yes
ProxyCommand ssh unix.university.com nc %h %p

This will log directly into any .department.university.com server using the jump/bastion host unix.university.com. You may also need a stanza for unix.university.com directly.

Here is a link explaining how it works: http://backdrift.org/transparent-proxy-with-ssh

With this technique, you can now just write

ssh unix.department.university.com

and it will all appear direct. Tools like rsync, scp, etc (anything in the ssh stack) will work transparently, as well.

answered Nov 21 '11 at 13:48

Aaron Brown

1,245

2

+1 I use something similar to this to push data from a test network to a prod network through a staging server. – Arcege Nov 21 '11 at 23:20
2

Yup, this works great! – gabe. Nov 24 '11 at 19:05
19

Just for the record newer versions of ssh support the -W option, you can do something like ProxyCommand ssh -W %h:%p gateway instead of depending on nc – Ulrich Dangel Jun 24 '12 at 23:38
Good to know! Thx – Aaron Brown Jun 24 '12 at 23:39
3

works great if the name of the user is the same across machines; if it is different you have to do something like ProxyCommand ssh -W %h:%p user@gateway – Riccardo Cossu Jun 12 '13 at 14:35
If your %h is not a fully qualified domain name, then you may have to edit the etc/hosts file in your gateway to make the gateway resolve your %h. – Anjan Mar 08 '14 at 04:50
pay attention to the keys you are using: the final server still needs to trust the key your client is giving. I had some trouble where the server only trusted the bastion key, and ssh complained about permissions. – igorsantos07 Sep 10 '18 at 06:00
@RiccardoCossu Different user names can be resolved with ProxyCommand ssh user@gateway nc %h %p as well. – schneiderfelipe May 08 '19 at 19:08

score 33 · Accepted Answer · answered Nov 21 '11 at 02:50

33

You can use the ssh client to execute ssh on the remote machine upon login.

ssh -t unix.university.com \
    ssh -t unix.department.univeristy.com \
    ssh -t office-machine.department.university.com

(The reason I include -t in the invocations is because ssh was giving me errors re: stdin not being a terminal when I tried it on my own machine; your machine may be different.)

When you exit from the last shell, the process will chain-exit, saving you typing Ctrl-D over and over again.

answered Nov 21 '11 at 02:50

amphetamachine

5,517
2
35
43

3

Please note : only add "-t" if you just do a login on the remote machine. To start a command on the remote machine, do NOT put them as they can/will corrupt some things (for exemple: tar cf - something | ssh somewhere "cd /path/remote ; tar xf - " : could become corrupted if you add -t ! See for exemple the wonderful StephaneChazelas's answer http://unix.stackexchange.com/questions/151916/why-is-this-binary-file-transfered-over-ssh-t-being-changed/151963#151963 ) – Olivier Dulac Jan 20 '17 at 10:07
4

Using -J is more secure than this answer, because you then have the possibility to store all ssh keys on your local computer. The -J option was introduced in openssh version 7.3 as mentioned in the answer from @Miikka – Erik Sjölund Jan 16 '18 at 18:15
1

@ErikSjölund Openssh doesn't allow more than one -J option. I think you could do it with multiple ProxyCommand options in your config. – amphetamachine Jan 30 '18 at 16:36
1

@amphetamachine With -J you can specify a comma-separated list of hops to go through. But using ProxyCommand with -W is still a much better approach than this answer if you happen to be using a version too old to support -J. – kasperd Feb 11 '18 at 00:22

Miikka · Answer 3 · 2018-02-14T17:03:12.037

13

In OpenSSH 7.3, ssh added the -J command line flag and the corresponding ProxyJump configuration option to solve exactly this problem.

Give the hosts you wish to ssh through as a comma-separated list to -J. For example:

ssh -J unix.university.com,unix.department.university.com  \
  office-machine.department.university.com

edited Feb 14 '18 at 17:03

answered Oct 13 '17 at 20:33

Miikka

525

score 0 · Answer 4 · answered Jun 07 '23 at 18:27

0

To ssh into server B from server A with the same username

Host target
  HostName <serverB_hostname>
  ForwardX11Trusted yes
  LogLevel verbose
  User <username>
  ProxyCommand ssh <username>@<serverA_hostname> -W %h:%p

answered Jun 07 '23 at 18:27

Basavaraj Hiremath

1

ssh via multiple hosts

4 Answers4

Linked

Related