Feb 11

multi-hop ssh

Category: Tech-y

At work I routinely have to ssh from host A to host B and then to host C.  It is not possible to establish a direct link from A to C, so I’ve been manually establishing a connection from one to the other, which is annoying.  Today I finally got around to setting up a better solution, which depends on having a unix-like system on all nodes. Host A is running Windows with cygwin, and hosts B and C are running Mac OS and Linux. Another assumption is that you have the same user name on all nodes, although there are ways to get around it if you don’t.

1) Add these lines to ~/.ssh/config (which you may have to create).

 Host hostC.domain.edu hostC
        ProxyCommand ssh hostB -W %h:%p

Now, when I type “ssh hostC” on my PC, it hops through hostB and logs into hostC automatically with no further typing.

What is happening is that when you ssh to hostC, ssh substitutes another command for /bin/sh on hostB (which is normally executed by default), and forwards stdin and stdout to this new command (that’s what the –W is for), which is an ssh to rsndds. The effect is to hop through hostB. Because I’ve set up keys without pass phrases on all machines, no password is required. If you don’t have keys set up, it will still work, but will ask for passwords.

If you want to use pass phrases, you can use ssh-agent on hostA and hostB, which will ask only once and then store the keys in memory until the next reset of ssh-agent (probably a reboot).

If you have a different user name on hostB, simply specify it like this:

Host hostC.domain.edu hostC
        ProxyCommand ssh user@hostB -W %h:%p

You can create as many of these special entries in your config file as you wish, each specifying special rules for creating connections to your unique networks. Isn’t ssh cool?

When I started figuring out how to do this, I thought of it as “tunneling,” but technically that’s probably not correct; that name is given to using ssh for encrypted port forwarding.  Nevertheless, you can think of it as a tunnel, allowing you to ssh from one machine to another using an intermediate machine, all without your intervention.

No comments

No Comments

Leave a comment