Archive

Archive for August, 2012

SSH-ing across multiple boxes

August 22, 2012 Leave a comment

Some environments require you to hop across one or more “bastion” hosts that are intended to keep anyone unauthorized from being able to access internal networks. ┬áThis generally is a pain, but I ran across a useful workaround that makes it look like you are ssh-ing directly to the destination box, allowing things like scp, rsync over ssh, etc. all work without any extra fiddling.

In your .ssh/config file, make sure that you have the following:

Host *
ForwardAgent yes
This will allow you to leverage the same ssh key on the destination server as well as the bastion host, make sure you add your ssh key to the ssh-agent with ssh-add
ssh-add ~/.ssh/id_dsa
Then you can add an entry for your destination server:
Host destination.server.com
User plock
ProxyCommand ssh bastion.host.com bin/netcat destination.server.com %p 2> /dev/null

The ProxyCommand directive tells your local ssh client to connect to stdin and stdout of the ProxyCommand instead of opening a socket, the ProxyCommand uses netcat on the bastion to act as a proxy on the bastion host, connecting it’s stdin and stdout to the ssh process that connected to the destination server. ┬áSo in effect, you are sshing to the destination server, and all other ssh features work normally like additional .ssh/config options and command line arguments.

You can even chain two together

Host ssh.bastion2.com
User plock
ProxyCommand ssh ssh.bastion1.com bin/netcat ssh.bastion2.com %p 2> /dev/null
Host destination.server.com
User plock
ProxyCommand ssh ssh.bastion2.com /usr/bin/nc destination.server.com %p 2> /dev/null