[SOLVED] SSH config: ProxyCommand for multi-hop ssh

telemeister · 07-12-2012, 12:21 AM

I am doing multi-hop ssh using keys. I am doing an ssh to server2, via server1.
From the command line the following works well:

Code:

 ssh -t www.server1.com  ssh -t www.server2.com

This takes me straight through to server2 without any passwords as expected.

I would like to do the same thing but using the .ssh/config file
The relevant parts of my config file are:

Code:

Host server1
  HostName www.server1.com
  User steve

Host server2
  HostName www.server2.com
  ProxyCommand ssh steve@www.server1.com nc %h %p
  User steve

Now when I try from the command line:

Code:

ssh server1

This takes me onto server1 without passwords

Code:

ssh server2

This takes me to server2. However it is asking me for a password on server2.

Appreciate any clarification as to the correct form of the ProxyCommand (or other switches
in the config file) that will enable the multi-hop ssh to server2, using keys.

micxz · 07-12-2012, 12:40 AM

I think you are getting straight to server2 then getting asked for a pass to get on server1. Keys may not be setup hence the password. Maybe the line should read:

Code:

Host server2
  HostName www.server1.com
  ProxyCommand ssh steve@www.server2.com nc %h %p
  User steve

micxz · 07-12-2012, 12:49 AM

or...

Code:

Host server1
  HostName www.server1.com

Host server2
ProxyCommand ssh -q server1 nc -q0 www.server2.com %p

telemeister · 07-12-2012, 12:52 AM

Quote:

Originally Posted by micxz

I think you are getting straight to server2 then getting asked for a pass to get on server1. Keys may not be setup hence the password. Maybe the line should read:

Code:

Host server2
  HostName www.server1.com
  ProxyCommand ssh steve@www.server2.com nc %h %p
  User steve

Thanks for the rapid reply..
I tried reversing the servers in the config file as you suggested, but it seems to hang.

I think the keys are OK between all three machines. I can manually ssh without any passwords. Only fails when I use the config file.
Anyway - thanks again for the suggestion.

micxz · 07-12-2012, 12:57 AM

May have posted incorrectly on the first one try the or.. post

telemeister · 07-12-2012, 01:30 AM

Quote:

Originally Posted by micxz

May have posted incorrectly on the first one try the or.. post

1. I tried your suggestion of putting the server2 url in the ProxyCommand. I think that might be the same as %h, which substitutes Hostname.
Anyway it does the same as before, except it is now explicitly telling me it is server2 that wants the password. (I get the following prompt)

Code:

steve@server2's password:

2. Re your suggestion of -q0 option in the ProxyCommand: I'm getting

Code:

nc: invalid option -- 'q'

I believe this is coming from the intermediate server (server1)

I've done some checking and server1 is running Fedora, which apparently has a version of netcat which does not support the -q option.
Do you think this -q option is critical to the process?

Thanks again for suggestions.

micxz · 07-12-2012, 02:02 AM

the q was just for suppressing errors I don't think it makes a difference in what your trying to do. Does it still fail without the q flags?

telemeister · 07-12-2012, 02:15 AM

Quote:

Originally Posted by micxz

the q was just for suppressing errors I don't think it makes a difference in what your trying to do. Does it still fail without the q flags?

Without the -q option it 'works' ie it does take me through to server 2, but server2 still wants a password, same as before.

telemeister · 07-12-2012, 02:35 AM

SOLVED: I am going from CLIENT > SERVER1 > SERVER2

When I do it manually ...

Code:

 ssh -t www.server1.com  ssh -t www.server2.com

SERVER2 does not need to know the 'authorised key' for the CLIENT. (i.e. SERVER1 needs to know CLIENT, and SERVER2 needs to know SERVER1)

I seems that when I do it using the .ssh/config file SERVER2 does need to know the authorised key for the CLIENT as well.

I inserted the key from CLIENT into the authorised keys file on SERVER2 and now everything works transparently.

Thanks to micxz for help and suggestions which stimulated the solution.