2

Is it possible to chain multiple ssh connections together with each connection specified as an ssh host?

I know it's possible to use the -W flag or nc to do a second hop to another hostname or ip address (see, e.g., ssh via multiple hosts). I haven't been able to get this to work the way I want for a couple reasons. First, for the second hop, I want to use a key file stored on the intermediate host, and I don't see a way to specify this with either -W or nc. Second, the final destination has a variable ip address. To deal with this, I have a script running on the destination that writes its ip address to a file stored on the intermediate host and then a script (look_up_ip.sh) on the intermediate host that prints out this ip address. On the intermediate host, I have this entry in ~/.ssh/config:

Host destination
 HostName destination
 User dest_user
 IdentityFile ~/.ssh/destination
 PreferredAuthentications publickey
 ProxyCommand nc $(look_up_ip.sh %h) %p

which allows me to connect to the destination from the intermediate with just ssh destination.

What I would like to do is put something in ~/.ssh/config on the first machine to define the destination host (as, e.g., hopped_destination) so that ssh will first connect to the intermediate host and then do ssh destination from there, so I can just do ssh hopped_destination from the first machine and have the intermediate ~/.ssh/config deal with the identity file and ip lookup for the destination. Part of the reason why I want this is that I ultimately want to be able to connect to the destination with VNC using vncviewer -via destination localhost:0, and I want the connection not to be accessible to other users on the intermediate host (as implied in parts of the accepted answer to this question: https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops). I was hoping that it would be possible to put ssh into ProxyCommand on the first machine with something like:

Host destination
 ProxyCommand ssh -t intermediate_user@intermediate_host ssh destination

but I haven't found options that allow something like this to work.

I would also welcome any suggestions on better ways to do this (is there a way to get rid of the nc ProxyCommand I am using now?). I could probably work out a script to do the VNC command more directly but that might be more complicated (handling the port forwarding directly and being sure to close things on exit, and being sure not to open a port for all users).

Community
  • 1
ws_e_c421
  • 519
  • use -w switch to ssh for transparent proxy commands. – Jakuje Oct 27 '16 at 08:01
  • That sounds promising. Can you give more detail or link to an example? I have been searching for a while and haven't seen much that uses -w. Mainly, I just find examples using -W, nc or -t. – ws_e_c421 Oct 27 '16 at 15:41
  • Related: http://unix.stackexchange.com/questions/306870/saved-proxy-settings-for-ssh-with-various-aws-accounts/306899#306899 – Jakuje Oct 27 '16 at 17:14
  • Oh, that is -W, not -w. That is pretty much the same as the first link I gave and doesn't work for me for the reasons I gave in the question. – ws_e_c421 Oct 27 '16 at 18:14
  • Well ... if you need to issue the connection from the jumphost, you need to chain the connections using ssh -t jumphost ssh destination. It is not elegant, but probably the only way to go. You can simplify the connection only using bash scripts/functions/aliases. – Jakuje Oct 28 '16 at 16:30

1 Answers1

0

example from my ssh config file;

Host vmike2-squid-cache
  User mike
  ProxyCommand ssh -q -A -x ???.???.???.??? -W %h:22

(only thing i changed was the ip)

mikejonesey
  • 2,030
  • This looks like the standard setup described in the first link in my question. %h can only be substituted with a hostname/ip address which doesn't help me. I need it to be substituted by a Host entry in ~/.ssh/config or to otherwise be substituted with a value known on the intermediate host and not on the first machine (though I am sure with a more complicated setup I could pull that information and then do something like this). – ws_e_c421 Oct 27 '16 at 15:44