1

Schematic:

    ssh       ssh
A ------> B ------> C
    ^          ^
 using A's   using B's
 ssh key     ssh key

Preconditions:

  • A is running ssh-agent
  • A can access B
  • B can access C
  • A can't access C directly
  • A's ssh public key is present in B:~/.ssh/authorized_keys
  • B's ssh public key is present in C:~/.ssh/authorized_keys

What I tried

Following this question, I tried the related answer, here is my .ssh/config

Host proxy
  HostName 10.10.10.10
  User foo
  Port 1234
  IdentityFile ~/.ssh/id_rsa

Host target 
  HostName 11.11.11.11
  User bar
  Port 5678
  ProxyCommand ssh -o 'ForwardAgent yes' proxy 'ssh-add && nc %h %p'

This works:

$ ssh -t proxy ssh [email protected] -p 5678

This doesn't works:

$ ssh -t proxy ssh target
ssh: Could not resolve hostname target: Temporary failure in name resolution
Connection to 10.10.10.10 closed.

$ ssh target
Could not open a connection to your authentication agent.
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

I also tried with this configuration following this question:

Host proxy
  HostName 10.10.10.10
  User foo
  Port 1234
  IdentityFile ~/.ssh/id_rsa

Host target 
  HostName 11.11.11.11
  User bar
  Port 5678
  ProxyCommand ssh -W %h:%p proxy

But when I run ssh target, it keep asking for password


I would like to simply run ssh target but I'm stuck.

New contributor
J.Nexus is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
4
  • ProxyCommand like -J will use the credentials from A anyway (compare this answer). Commented 22 hours ago
  • Cannot you make C recognize A's key? Commented 22 hours ago
  • @KamilMaciorowski Yes, that would work, but I don't want C to know A key. What I want is to only allow ssh from "proxy", and to allow access to "proxy" to list of users that can change. I have multiple "target" in real life, and I want to allow/deny access to all of them by only editing "proxy". So I don't want my private keys to be on "proxy"
    – J.Nexus
    Commented 21 hours ago
  • It's a bad idea to store private keys on a proxy/jump host. If A can connect and use the private keys on the proxy, then A can also copy the private keys and use them without the proxy.
    – jeb
    Commented 18 hours ago

1 Answer 1

0

You should copy the private key from B to A (change the name of id_rsa)

scp proxy:.ssh/id_rsa ~/.ssh/id_rsa_second

Then you can use

Host proxy
  HostName 10.10.10.10
  User foo
  Port 1234
  # IdentityFile ~/.ssh/id_rsa  # Not necessary, it's the default

Host target 
  HostName 11.11.11.11
  User bar
  Port 5678
  IdentityFile ~/.ssh/id_rsa_second
  ProxyJump proxy

Now this should work: ssh target

3
  • 1
    Wouldn’t it be easier to just configure Host C with keys for both B and A?
    – Ramhound
    Commented 22 hours ago
  • Yes, that would work, but I don't want C to know A key. What I want is to only allow ssh from "proxy", and to allow access to "proxy" to list of users that can change. I have multiple "target" in real life, and I want to allow/deny access to all of them by only editing "proxy". So I don't want my private keys to be on "proxy"
    – J.Nexus
    Commented 21 hours ago
  • In my solution you don't change the configuration on C . You only copy the private key from B to A. This is not a problem, because anyone who can connect to the proxy can see the key anyway
    – jeb
    Commented 20 hours ago

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .