Combine Two SSH Commands

Question

The first ssh command is done on my computer, I enter the key password, then put the second ssh command in while logged into the server.

ssh -i cloudkey -L 6000:localhost:6001 admin@54.152.188.55 -p 9000
#i get prompted for a password to use the key 
ssh -D 6001 -p 6666 localhost -l dancloud
#i get prompted for a password associated with user dancloud

1. How can I combine these commands into a single command to obtain the same results? I see that netcat and ProxyCommand could be useful here but haven't been able to figure it out.
2. How can I hardcode the two passwords in and put this into a bash script? Hopefully I could just do ./login.sh and run all this code with passwords hard coded into the script and reach the same final result.

Answer 1

First possibility is obvious (note the -t switch):

ssh -t -i cloudkey -L 6000:localhost:6001 admin@54.152.188.55 -p 9000 \
   "ssh -D 6001 -p 6666 localhost -l dancloud"

With ProxyCommand it is more complicated on the first sight, but conceptually you need only one forwarding (netcat version is not advised anymore, using -W switch is more elegant):

Host proxy
  Hostname 54.152.188.55
  User admin
  IdentityFile cloudkey
Host target
  Hostname localhost
  Port 6666
  User dancloud
  DynamicForward 6000
  ProxyCommand ssh -W %h:%p proxy

and then connect just using ssh target (see ... now you don't even need a bash script :)).

Explanation: The second ssh is running also from your computer and therefore the Dynamic forwarding socket (SOCKS proxy) is created directly on your computer).

About the passwords, it is not something that is advisable (passwords should be secret), but it might work with sshpass in front of appropriate ssh.

---

Manual page for ssh explains the -W switch as:

-W host:port

Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings. Works with Protocol version 2 only.

In combination with ProxyCommand, it connects to the requested hostname and then gives you basically embedded version of netcat (connects standard IO to the host:port pair (the argument).

Answer 2

You should be able to accomplish what you're looking to do with something similar to:

ssh -i cloudkey -L 6000:localhost:6001 admin@54.152.188.55 -p 9000 -t "ssh -D 6001 -p 6666 localhost -l dancloud"

the -t flag forces a pseudo-tty on the first machine and executes the remaining code on the first machine; in this case, ssh to the dancloud tunnel. The double quotes may be optional, for commands such as:

ssh 10.0.0.0 -t ssh 192.168.0.0

the quotes are not required, I use this command as is everyday ( with correct IPs obviously ). But your mileage may vary if it fails without the quotes, simply add them ;-)

As for the Hardcoding Passwords in a script, the only way I can think of to accomplish this would be to use an expect script, but this requires a bit of knowledge of TCL code. It would be better to just use ssh forwarding and key based authentication on all the applicable machines. You can check out a simple program called keychain and simply add to your $HOME/.bashrc file something along the lines of: keychain --agents ssh and keychain will locate your ssh key and create your ssh-agent if needed, or use an existing one, this is helpful if you use ssh in multiple terminals.

Of note, using key based authentication, you'll need to simply add -A to your ssh args:

ssh -A -i cloudkey -L 6000:localhost:6001 admin@54.152.188.55 -p 9000 -t "ssh -D 6001 -p 6666 localhost -l dancloud"