-   Linux - Networking (
-   -   SSH Tunnelling with different users (

zagzagel 01-31-2013 11:58 AM

SSH Tunnelling with different users

I have 2 machines ('a' and 'b'), and I want to connect to a server as user 'x' which only has the ssh key (public) of machine 'a'.

Now, if I'm 'user_a' in host 'a', in order to connect to the server I

ssh x@server
If I'm user 'user_b' in host 'b', I have to

$ ssh user_a@a
$ ssh x@server

Note that this works. No hangs, no fails. So I wanted to make a tunnel.

I tried tunneling before, and it worked, but this doesn't work as I expected

$ ssh -f -N -L port:server:22 user_a@a #create tunnel
$ ssh x@localhost:50000 #hangs so ctrl^c
$ ssh localhost:50000 #also hangs

I cannot mess with the server at all, and I don't want to create a user at machines 'a' and 'b' just to login to server.
Google wasn't a good teacher at this one. Everything I found was for the same user.

What can I do to accomplish my task (if anything)?
I just want to avoid typing 2 calls to ssh, no tunnel is actually necessary. But obviously I don't want to automatically ssh to 'server' everytime I ssh to 'a'.

sag47 01-31-2013 12:55 PM

In the ~/.ssh/authorized_keys file you can specify commands and restrictions (or in your case just an ssh command). The -i option of ssh allows you to specify which private key to use. In the following example I'll specify three machines: mycomputer, servera, serverb. Here's how you would set that up.

On mycomputer

#when you run the ssh-keygen command be sure to give a custom key name such as /home/user/.ssh/id_servera
#now copy your key to servera
ssh-copy-id -i ~/.ssh/id_servera user2@servera

On servera, generate a key for serverb and edit the authorized_keys to specify a restricted command to execute when connected with the servera key from mycomputer.

#be sure to specify a custom name for the key: /home/user2/.ssh/id_serverb
#copy the key to serverb
ssh-copy-id -i ~/.ssh/id_serverb user3@serverb

Modifying the ~/.ssh/authorized_keys file on servera to look like the following.

from="mycomputer",command="/usr/bin/ssh -i /home/user2/.ssh/id_serverb user3@serverb" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3Sm/nKO3MFyKfDxrPMZxQo4rNCpAPivVLNwB01hKeKtpTyoyhXNyZ9R1qml4iGLxrA0FtMy1WZIefqJ3fI9YemRVZDcUTud9kn6uNEMM0I0ZqOGZH0ILRafHMFlgjGU5TbReuJs9Gk2aOdLME8h3/N843Z0uNmncBLWEBDBwnWuJQx2RaLxjTMqheFm3Fn5FXfbmFYBAMj+ZuPXLXGgKZGvT6n0o0JmXryur94LZSJeNREhTTZlWs2fpZw6l8kVa14Ppqvz+x9NhQ07312VKfyi2hsxDNzGJwXEffnb/ir8q+CIj1vzRE8RnOm3FgRONxyyglcUEu8Y209ShXUAfV
You can remove the from="mycomputer" from authorized keys but I specify it in my case because I have a static IP.

So now that we have everything set up you can get to serverb from mycomputer with a single command.

ssh -i ~/.ssh/id_servera user2@servera

#optionally create an alias
alias serverbpassthrough="ssh -i ~/.ssh/id_servera user2@servera"

In a nutshell that should do exactly what you want. There's other options and more restrictions you can place on the authorized_keys file but that's essentially what you want.

For more information see "AUTHORIZED_KEYS FILE FORMAT" of the authorized_keys man page.


zagzagel 01-31-2013 06:10 PM

Thanks alot :D that should cover my needs! Never even thought the ~/.ssh/authorized_keys could have extra info on it. A bit bothersome to create a key-pair just for this, but on the other hand it's a one-time setup.
There's no tunneling like the post title sugests, but problem solved anyways.
You, sir, just gave me alot more power with ssh! Thank you very much!

EDIT: I thought scp would use an underlying ssh, but apparently if I scp -i key it just hangs, so I assume it's doing the ssh command in the authorized_keys file. Probably the same for sshfs, so this doesn't have the effect I was expecting at first :( What's the solution/workaround?
EDIT2: Maybe I can work something out with the SSH_ORIGINAL_COMMAND variable.
EDIT3: Yes, that's the trick :) everything is working great now. Thanks!

All times are GMT -5. The time now is 01:17 PM.