Setting up ssh config file with id_rsa through tunnel
Solution 1:
METHOD 1 (use ssh-key on inter)
If you want to retain the authentication flow
local -- authenticate --> inter -- authenticate (ask password) --> final
This cannot be done with .ssh/config proxyhost.
What you need is bash shell alias (I hope you are using bash).
In ~/.bashrc, add following line
alias ssh-final='ssh -t inter ssh [email protected]'
In command prompt, just type following
ssh-final
final section in ~/.ssh/config is not used.
Connection Details(1)
ssh -t inter ssh [email protected] can be view as follow
local# ssh inter
inter# ssh [email protected]
local is only "talking" to inter. There is no direct or indirect ssh connection between local and final. local is just displaying the output of ssh [email protected].
METHOD 2 (use ssh-key on local)
Authentication with same ssh-key
Host inter
User user1
HostName inter.example.com
Host final
User user2
Hostname <final.com / final IP Address>
Port 22
ForwardAgent yes
ProxyCommand ssh inter nc %h %p
Copy local ~/.ssh/id_ras.pub to
/home/user1/.ssh/authorized_keys in `inter`
/home/user2/.ssh/authorized_keys in `final`
Connection Details(2)
ssh tunneling
Before we go into detail of ProxyCommand, lets look at the following example
Step 1, on terminal window 1
local# ssh inter -L 2000:final.com:22
Step 2, on terminal window 2
local# ssh localhost -p 2000
In terminal 1, a tunnel is setup between local port 2000 and final.com port 22. Anything sent to local port 2000 will be forward to final.com port 22 and vice versa.
In terminal 2, ssh connect to local port 2000, but actually is communicating with final.com port 22, which is the sshd.
With tunneling, local ssh client in Step 2 is connected with final.com sshd directly.
The "output" of local port 2000, is "raw" ssh daemon traffic.
Common usage of such tunnel is to access internal web server or email server. Following is example for web server
local# ssh inter -L 2000:final.com:80
In the browser use following URL
http://localhost:2000
The two end points of the tunnel are local port 2000, and final.com port 80.
Traffic coming in and out of tunnel end point "AS IS". Lets call that "raw" traffic.
ProxyCommand
Host final
User user2
Hostname <final.com / final IP Address>
Port 22
ForwardAgent yes
ProxyCommand ssh inter nc %h %p
The ProxyCommand take it one step further. It skip the step of creating a local port and connect to it.
A ssh client will execute what ever command given behind ProxyCommand, and treat the output of that command as "raw" traffic. It is holding onto the local end point, and then start a ssh connection with it.
Why one work the other does not?
The following command
ssh inter nc final.com 22
basically means (1) connect to inter, then (2) on inter, run command nc final.com 22.
nc - arbitrary TCP and UDP connections and listens
So nc final.com 22 will connect to final.com port 22, print out all incoming traffic to stdout, and send all stdin to the other side. It is a "tunnel" between nc stdin/out and final.com port 22.
Since nc is ran within the ssh session, all its stdout is passes back to the ssh client, as "raw" traffic. And the ssh client can pass traffic into nc stdin, which will end up at final.com port 22.
Through the above "tunnel", local ssh client will start a ssh session with final.com directly.
The following command
ssh -t inter ssh [email protected]
does not work with ProxyCommand because the out of it is not "raw" traffic from a ssh daemon. It is the stdout of a ssh client. Client talk to client means no business.
Authentication with different ssh-key (OP original config)
Host inter
User user1
HostName inter.com
IdentityFile ~/.ssh/id_rsa
Host final
User user2
HostName final.com
IdentityFile ~/.ssh/id_rsa_2
ProxyCommand ssh inter nc %h %p
Copy local ~/.ssh/id_ras.pub to
/home/user1/.ssh/authorized_keys in `inter`
Copy local ~/.ssh/id_ras_2.pub to
/home/user2/.ssh/authorized_keys in `final`
Both of the above will enable the following usage
local# ssh final
Additional Checking
Use verbose
local# ssh -v final
That should help identifying ssh problem.
Check nc
ProxcyCommand is executing nc on inter. Check if nc is actually available on inter.
local# ssh inter
inter# nc final.com 22
Check rsa key is setup properly
If different keys are to be used for inter and final, following files should exist in local machine
local# ls ~/.ssh
id_rsa id_rsa_2 id_rsa.pub id_rsa_2.pub
Since you can ssh to inter already, check key setup on final. From your local machine
local# ssh -t inter ssh user2@final
final# cat .ssh/authorized_keys
You should see content of id_rsa_2.pub there.
Solution 2:
I didn't see any actually errors listed or ssh -v statements which would help see where it's hanging up.
Hey man you have it almost right--- the best and most secure way is to have both keys on the local machine. You would then use ssh-agent forwarding to connect rather than leaving keys at intermediate steps. You also have the advantage of needing to type your key passphrase only once per logon.
If you have a modern/userfriendly OS like ubuntu (on your local machine) this should work no problem without any *massaging*. I left off the identity file intentionally, you will not need it.
Your config file would look like this:
Host inter
User user1
ForwardAgent yes
HostName inter.com
Host final
ForwardAgent yes
User user2
HostName final.com
ProxyCommand ssh inter nc %h %p
If it doesn't, then run through these steps to make sure you ssh-agent is running:
'ssh-add -l' (lower case L) will list your private keys if any are loaded, or will be blank, or will say can’t connect to ssh-agent, if so, start ssh-agent.
'eval `ssh-agent`' (those are backticks) starts ssh agent
'ssh-add' will add your key… you can add a path argument if you have a key in a non-default area. At this point you will enter your passphrase.
There is a nice guide explaining how this works, here.