I've had to do the kinda of multiple proxy jumps Hugh is alluding too. It was common in a Managed Service Provider I worked for. FYI, the ProxyJump directive was only introduces in OpenSSH version 7.3. As we had a lot of legacy RHEL/CentOS 6 systems, which were not yet on that version, we had to use the older pattern of ProxyCommand and NetCat (nc). Combining ProxyJump along with User, Port and IdentityFile directives in your .ssh/config file, you can preform some amazing back-flips and lateral moves through infrastructure. I think my record was 5 layers of depth, but a don't have those config files any more. Dropping your public keys, and 'ForwardAgent yes' in .ssh/config in ever user/system along the proxy chain means you can have a single SSH command take you all the way to the end of the chain without being prompted for a password at each hop. --- # === SITE 1 === # Best-practice firewall rules means jump-box is the only host reachable via VPN, so is always our first hop. Host jump-box HostName jump-box.example.org User someone Host stargate ProxyCommand ssh -q someone@jump-box nc stargate.example.org 22 Host stargate2 ProxyCommand ssh -q someone@jump-box nc 192.168.133.7 22 # === SITE 2 === Host jump.site2.other.org ProxyCommand ssh -q someone@stargate2 nc 10.30.40.20 22 # === SITE 3 === Host 192.168.3.* ProxyCommand ssh -q someone@stargate nc %h 22 # === SITE 5 === Host 10.90.5.* ProxyCommand ssh -q someone@stargate nc %h 22 User differentuser # Examples # ssh someone@192.168.3.12 # A double jump, host/ip wildcard says we need to connect via 'stargate', which will resolve further to 'jump-box' which is canonically 'jump-box.example.org' --- On 8/29/20 11:55 AM, D. Hugh Redelmeier via talk wrote:
I'm away from home, regularly accessing my computers at home. Easy: ssh into a gateway machine and ssh from there into the internal machine of my choice. Nested ssh sessions. It gets a little more annoying when I want to transfer a file.
The new-to-me ssh/scp option "ProxyJump" handles this conveniently.
Consider the example of transferring a file "f" from machine "home" through machine "gw" to machine "away", all done from an xterm on "away".
Note: because "away" is behind NAT, "gw" cannot scp to it. Note: -A enables ssh-agent to avoid some manual authentication Note: things become more complicated if f has slashes.
[away] $ ssh -A gw [gw] $ scp -p home:f . [gw] $ exit [away] $ scp -p gw:f . [away] $ ssh -A gw [gw] $ rm f [gw] $ exit
This can be simplified because the ssh command allows shell commands as arguments. That's not a habit I've developed.
[away] $ ssh -A gw scp -p home:f . [away] $ scp -p gw:f . [away] $ ssh -A gw rm f
The ProxyJump option makes this a lot simpler:
[away] $ scp -p -o 'ProxyJump gw' home:f .
I have no need for more than one intermediate hop so I haven't figured out how that would work. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
-- Scott Sullivan