SSH through jump hosts, revisited
Close to 7 years ago, I wrote about SSH through jump hosts. Twice. While the method used back then still works, Openssh has grown an new option in version 5.3 that allows it to be simplified a bit, by not using nc
.
So here is an updated rule, version 2016:
Host *+* ProxyCommand ssh -W $(echo %h | sed 's/^.*+//;s/^\([^:]*$\)/\1:22/') $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:\([^:+]*\)$/ -p \1/')
The syntax you can use to connect through jump hosts hasn't changed compared to previous blog posts:
- With one jump host:
$ ssh login1%host1:port1+host2:port2 -l login2
- With two jump hosts:
$ ssh login1%host1:port1+login2%host2:port2+host3:port3 -l login3
- With three jump hosts:
$ ssh login1%host1:port1+login2%host2:port2+login3%host3:port3+host4:port4 -l login4
- etc.
Logins and ports can be omitted.
Update: Add missing port to -W
flag when one is not given.
2016-02-08 00:26:53+0900
Responses are currently closed, but you can trackback from your own site.
2016-02-08 03:06:02+0900
you might like:
https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Safer_alternative_to_SSH_agent_forwarding
or want to add your method to it
2016-02-08 05:43:33+0900
It might be a pain to change the host1, if this is needed for more than a few hosts.
SSH can by itself combine ProxyCommands:
Host1
Hostname DirectIP
Host2
ProxyCommand via Host1
Host3
ProxyCommand via Host2
Does it make more maintainable.
See here some examples (Yes I know netcat shouldn’t be used anymore, but the setup matters)
http://sshmenu.sourceforge.net/articles/transparent-mulithop.html
2016-02-08 11:08:06+0900
Omitting ports doesn’t seem to work, I did “ssh host1+host2” and ssh said Bad stdio forwarding specification ‘host2’.
2016-02-08 12:02:46+0900
What’s wrong with -A ?
2016-02-09 00:13:26+0900
Dirk: The configuration proposed in my post is more useful for one-offs.
Tomáš: Fixed, thanks.
Ludovic: -A gives access to your agent to the jump host. Do you trust the jump host not to use it?