How configure SSH to connect to a host via proxy using one SSH key

ssh linux proxy

I have a network topology like this:

Laptop -> Bastion -> Destination

Bastion and Destination are EC2 instances using the same SSH key for SSH access. However, Destination cannot be accessed from the Internet. Its IP address is visible only to Bastion.

I am able to connect to the Bastion and use agent forwarding to pass the SSH key over and then connect separately from the Bastion to the Destination server. However, I'd like to configure my .ssh/config file in such a way that I can SSH to the Destination server using one command from the laptop. My current .ssh/config file looks like this:

Host Bastion
  Hostname <redacted>
  IdentityFile ~/.ssh/mykey.pem

Host Destination
  Hostname <redacted>
  User ubuntu
  ProxyCommand ssh -A bastion-dev -W %h:%p

But when I run

ssh -A ubuntu@Destination

SSH responds with:

Permission denied (publickey).
ssh_exchange_identification: Connection closed by remote host

How do I correctly pass the SSH key from my local to the Bastion server without having to store it on the server? Can I configure all this via .ssh/config file so that I can log into the Destination server with a single command?


Solution 1:

Debug with one or more ssh -v flags from from the client and check the logs on the relevant server to see where the problem is.

All too frequently I have different keys for different customers, sites and projects, and I run into a MaxAuthTries setting of the remote ssh server when ssh-agent is still trying every potential key and hasn't reached the correct one yet. Check you server logs for that.

Also typically the username on my workstation won't match to the one that gets assigned on either Bastion or Destination so I prefer to set all settings explicitly in my configs. That way I won't need to use any commandline flags and can simply type ssh Destination and be done with. 

Host Bastion
    Hostname bastion.example.com
    User hbruijn-adm
    ForwardAgent yes
    AddKeysToAgent yes
    UseKeychain yes                                  # Specific to OS X 
    IdentityFile ~/.ssh/id_rsa.bastion

Host Destination
    Hostname destination.example.com
    User ubuntu 
    ForwardAgent yes
    AddKeysToAgent yes
    UseKeychain yes                                  # Specific to OS X
    IdentityFile ~/.ssh/id_rsa.destination
    ProxyJump Bastion

ProxyJump is a relatively new setting that I find somewhat more intuitive to use then a ProxyCommand.

Related

Apache .htaccess trick to authenticate only once for all subdomains? [duplicate]
Where to find and how to block blacklisted IPs and proxies?
Puppet client not connection to master - SSL connect Error
How do I confirm what my PDC is using for it's time source and how do I setup an external time source?
Simple client / server with nc not working
Specifying a Postfix Instance to send outbound email
How to run a cron job?
How to read HUGE clientmqueue in human format?
Prevent owner to change permissions on network share
Strange GET requests in logs
What rule can I use in ModSecurity to log POST payload for a specific site?
FTP Active vs passive mode