LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-31-2013, 11:58 AM   #1
zagzagel
Member
 
Registered: Jul 2010
Location: Portugal
Distribution: Arch Linux
Posts: 31

Rep: Reputation: 1
SSH Tunnelling with different users


Hi,

I have 2 machines ('a' and 'b'), and I want to connect to a server as user 'x' which only has the ssh key (public) of machine 'a'.

Now, if I'm 'user_a' in host 'a', in order to connect to the server I
Code:
ssh x@server
If I'm user 'user_b' in host 'b', I have to
Code:
$ ssh user_a@a
$ ssh x@server
Note that this works. No hangs, no fails. So I wanted to make a tunnel.

I tried tunneling before, and it worked, but this doesn't work as I expected
Code:
$ ssh -f -N -L port:server:22 user_a@a #create tunnel
$ ssh x@localhost:50000 #hangs so ctrl^c
$ ssh localhost:50000 #also hangs
I cannot mess with the server at all, and I don't want to create a user at machines 'a' and 'b' just to login to server.
Google wasn't a good teacher at this one. Everything I found was for the same user.

What can I do to accomplish my task (if anything)?
I just want to avoid typing 2 calls to ssh, no tunnel is actually necessary. But obviously I don't want to automatically ssh to 'server' everytime I ssh to 'a'.

Last edited by zagzagel; 01-31-2013 at 12:01 PM.
 
Old 01-31-2013, 12:55 PM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,459
Blog Entries: 35

Rep: Reputation: 363Reputation: 363Reputation: 363Reputation: 363
In the ~/.ssh/authorized_keys file you can specify commands and restrictions (or in your case just an ssh command). The -i option of ssh allows you to specify which private key to use. In the following example I'll specify three machines: mycomputer, servera, serverb. Here's how you would set that up.

On mycomputer
Code:
ssh-keygen
#when you run the ssh-keygen command be sure to give a custom key name such as /home/user/.ssh/id_servera
#now copy your key to servera
ssh-copy-id -i ~/.ssh/id_servera user2@servera
On servera, generate a key for serverb and edit the authorized_keys to specify a restricted command to execute when connected with the servera key from mycomputer.
Code:
ssh-keygen
#be sure to specify a custom name for the key: /home/user2/.ssh/id_serverb
#copy the key to serverb
ssh-copy-id -i ~/.ssh/id_serverb user3@serverb
Modifying the ~/.ssh/authorized_keys file on servera to look like the following.
Code:
from="mycomputer",command="/usr/bin/ssh -i /home/user2/.ssh/id_serverb user3@serverb" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3Sm/nKO3MFyKfDxrPMZxQo4rNCpAPivVLNwB01hKeKtpTyoyhXNyZ9R1qml4iGLxrA0FtMy1WZIefqJ3fI9YemRVZDcUTud9kn6uNEMM0I0ZqOGZH0ILRafHMFlgjGU5TbReuJs9Gk2aOdLME8h3/N843Z0uNmncBLWEBDBwnWuJQx2RaLxjTMqheFm3Fn5FXfbmFYBAMj+ZuPXLXGgKZGvT6n0o0JmXryur94LZSJeNREhTTZlWs2fpZw6l8kVa14Ppqvz+x9NhQ07312VKfyi2hsxDNzGJwXEffnb/ir8q+CIj1vzRE8RnOm3FgRONxyyglcUEu8Y209ShXUAfV sam@farcry.irt.drexel.edu
You can remove the from="mycomputer" from authorized keys but I specify it in my case because I have a static IP.

So now that we have everything set up you can get to serverb from mycomputer with a single command.
Code:
ssh -i ~/.ssh/id_servera user2@servera

#optionally create an alias
alias serverbpassthrough="ssh -i ~/.ssh/id_servera user2@servera"
serverbpassthrough
In a nutshell that should do exactly what you want. There's other options and more restrictions you can place on the authorized_keys file but that's essentially what you want.

For more information see "AUTHORIZED_KEYS FILE FORMAT" of the authorized_keys man page.

SAM

Last edited by sag47; 01-31-2013 at 01:02 PM.
 
Old 01-31-2013, 06:10 PM   #3
zagzagel
Member
 
Registered: Jul 2010
Location: Portugal
Distribution: Arch Linux
Posts: 31

Original Poster
Rep: Reputation: 1
Thanks alot that should cover my needs! Never even thought the ~/.ssh/authorized_keys could have extra info on it. A bit bothersome to create a key-pair just for this, but on the other hand it's a one-time setup.
There's no tunneling like the post title sugests, but problem solved anyways.
You, sir, just gave me alot more power with ssh! Thank you very much!

EDIT: I thought scp would use an underlying ssh, but apparently if I scp -i key it just hangs, so I assume it's doing the ssh command in the authorized_keys file. Probably the same for sshfs, so this doesn't have the effect I was expecting at first What's the solution/workaround?
EDIT2: Maybe I can work something out with the SSH_ORIGINAL_COMMAND variable.
EDIT3: Yes, that's the trick everything is working great now. Thanks!

Last edited by zagzagel; 01-31-2013 at 06:43 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh tunnelling through a firewall statistic Linux - Networking 4 05-03-2009 08:07 PM
Subversion (SVN) tunnelling through SSH nikhil010586 Linux - Server 4 01-23-2009 11:18 PM
SSH Tunnelling Only Server humbletech99 Linux - Security 1 08-03-2007 08:33 PM
[putty&ssh] Who is really good & expert in ssh https tunnelling and firewalling ? Xeratul Linux - General 12 12-03-2006 03:22 AM
tightvnc using ssh tunnelling curmudgeon42 Linux - Software 1 08-18-2004 09:40 PM


All times are GMT -5. The time now is 06:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration