2

I have a setup where I need to do 2 proxy jumps in order to connect to my server D. Effectively, from A, I need to connect to B, from which I need to connect to C (which only allows connections from B) from where I then can connect to D (which only accepts connections from C).

On B, using the ssh config, I can connect to D by simply typing ssh D, which is why I thought that I could use this config on A to connect to D:

Host B
    hostname 127.0.0.1
    user myUser
    Port 43099
    IdentityFile ~/.ssh/id_rsa

Host D
    hostname D
    ProxyJump B

and then connect from A to connect to D via ssh D.

However, this is the error that I get from this:

debug1: Reading configuration data /home/MyUser/.ssh/config
debug1: /home/MyUser/.ssh/config line 17: Applying options for D
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' B
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Executing proxy command: exec ssh -v -W '[D]:22' B
debug1: Local version string SSH-2.0-OpenSSH_8.8
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /home/MyUser/.ssh/config
debug1: /home/MyUser/.ssh/config line 7: Applying options for B
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 43023.
debug1: Connection established.
debug1: identity file /home/MyUser/.ssh/id_rsa type 0
debug1: identity file /home/MyUser/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.6
debug1: compat_banner: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 127.0.0.1:43023 as 'MyUser'
debug1: load_hostkeys: fopen /home/MyUser/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:to5+n56a6Zj+sbTnMghZGehX2OX5cn29HWbje55WJHU
debug1: load_hostkeys: fopen /home/MyUser/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[127.0.0.1]:43023' is known and matches the ED25519 host key.
debug1: Found key in /home/MyUser/.ssh/known_hosts:45
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/MyUser/.ssh/id_rsa RSA SHA256:d6hsPtnc6TWfm9j5lOClBzD4ylE+ww/tg9BE7qP8DlE explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/MyUser/.ssh/id_rsa RSA SHA256:d6hsPtnc6TWfm9j5lOClBzD4ylE+ww/tg9BE7qP8DlE explicit
debug1: Server accepts key: /home/MyUser/.ssh/id_rsa RSA SHA256:d6hsPtnc6TWfm9j5lOClBzD4ylE+ww/tg9BE7qP8DlE explicit
Authenticated to 127.0.0.1 ([127.0.0.1]:43023) using "publickey".
debug1: channel_connect_stdio_fwd: D:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/MyUser/.ssh/known_hosts for [127.0.0.1]:43023 / (none)
debug1: client_input_hostkeys: searching /home/MyUser/.ssh/known_hosts2 for [127.0.0.1]:43023 / (none)
debug1: client_input_hostkeys: hostkeys file /home/MyUser/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update
debug1: Remote: /Users/Hendrik/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /Users/Hendrik/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
channel 0: open failed: connect failed: nodename nor servname provided, or not known
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

It seems that the ssh config on B is not read at all.

My ssh config on B looks like this:


Host C
  HostName C
  User MyUser
  ForwardX11Trusted yes
  ForwardX11 yes

Host D
  User MyUser
  HostName D
  ProxyCommand ssh %r@C -W %h:22
  RemoteForward 26512 github.com:22
  Compression yes
  ForwardX11Trusted yes
  ForwardX11 yes
  DynamicForward 10080
  ControlMaster auto
  ControlPath ~/.ssh/masters/%C

Is there a way to edit the ssh config on A such that I can connect from A to D with ssh D?

Jimmy2027
  • 153
  • 2
  • 5
  • 1
    "the ssh config on `B` is not read at all" – Read [this answer](https://superuser.com/a/1581104/432690). `-J`/`ProxyJump` is not equivalent to chaining `ssh`s. Do you want to strictly rely on the config you have on `B`? Or will you accept a config for `A` that is totally independent from the config on `B`? – Kamil Maciorowski Jan 04 '22 at 20:45
  • 1
    When using proxy jump, all ssh connections originate at the original client (`A` in this case), and the intermediate nodes are just tunnel endpoints. So in your case, all config (including private key files) needs to be on `A`, and would look something like `Host D` `ProxyJump C` and `Host C` `ProxyJump B`. – Gordon Davisson Jan 04 '22 at 21:05
  • ah of course that makes sense! Thanks a lot @KamilMaciorowski and @GordonDavisson, I managed to get it to work with `Host D` `ProxyJump C` and `Host C` `ProxyJump B` – Jimmy2027 Jan 05 '22 at 08:38
  • Maybe you can add your comment as an answer to make it more visible – Jimmy2027 Jan 05 '22 at 08:40

1 Answers1

9

When using proxy jump, all ssh connections originate at the original client (A in this case), and the intermediate nodes are just tunnel endpoints. So in your case, all config (including private key files) needs to be on A, and would look something like this (assuming you use the same identity file for all 3 hosts):

Host B
    hostname 127.0.0.1
    user myUser
    Port 43099
    IdentityFile ~/.ssh/id_rsa
Host C
    ProxyJump B
    IdentityFile ~/.ssh/id_rsa
    # Any additional options for connecting to C
Host D
    ProxyJump C
    IdentityFile ~/.ssh/id_rsa
    # Any additional options for connecting to D

When you ssh D, the ssh client on A will make the following series of ssh sessions:

  1. A -> B (directly over the network)
  2. A -> C (tunneled over the A->B connection, then directly over the network from B to C)
  3. A -> D (tunneled over the A->C connection (which is tunneled over A->B), then directly over the network from C to D)
Gordon Davisson
  • 34,084
  • 5
  • 66
  • 70