I spent a little bit of time trying to find an answer to this today but I was unsuccessful. I’m hoping one of you will have the secret for me.
Situation:
I’ve configured my .ssh/config file with profile and port information for the many servers I connect to on a regular basis.
Problem:
One of the servers I need to access requires bouncing through another server first. ie; In order to access machine2 I have to connect to machine1 first. How to automate this within the .ssh/config?
When I manually connect to this I use:
ssh -t machine1 ssh machine2
What I would like to do is configure my .ssh/config file to use that -t option when connecting to that specific machine. I would like to be able to simple run:
ssh machine1
and based on the configuration in the .ssh/config have this automatically connect to machine2.
Any ideas?
Perhaps ProxyCommand from man ssh_config will help you out.
I use something like this:
Host *.proxied
ProxyCommand ssh hostnameofproxy tcpconnect $(basename %h .proxied) %p
Please not that my solution works when you have a bunch a computer behind a proxy (then you’ll use ssh foo.proxied to access foo through the proxy).
If you have only one machine you can avoid the basename stuff.
Simply
Host machine1
ForwardAgent yes
You should read up on the security complications though.
this is not a correct solution, but what about using alias to map the command “ssh machine1” to actually run what you want. sounds like this is exactly what alias is meant to do?
note
sorry if i am off base here; just an idea
@mike – I did think about using an alias, and that would be a very simple solution. The drawback to that in my mind is that the configuration for my ssh connections is then spread between two files and two formats. When I do backups and restores of my machine it’d be one more file to add to the list. I’d prefer to just be able to backup my .ssh/ directory and have my keys, known hosts and settings all there.
An alias (or shell function or shell script) seems like the right thing to me too. But that *.proxied trick is pretty slick.
‘ForwardAgent yes’ does exactly what you’re looking for.
By the way, you can use `nc` (netcat) instead of `tcpconnect`, it’s the same (in my case nc wasn’t installed on the proxy).
Here’s the obligatory example using netcat:
Host machine1 machine2 machine3
ProxyCommand ssh -q -a -x firewall nc -w 1 %h %p
why not just
ssh -t machine1 ‘ssh -t machine2’
I’ve used both..
ProxyCommand ssh proxy.example.com ‘exec 3/dev/tcp/%h/22;(cat &3’
And..
ProxyCommand ssh proxy.example.com nc -w 1 %h %p
Both work great, you can even scp seamlessly through the proxy.
Only problem I find is I end up with a lot of stale sessions on the proxy host.
If you only need shell access, and you trust the machine1, then you could just leave a screen session on machine1 that is ssh’d into machine 2.
Have your home machine ssh into machine1 and have it reconnect to the screen session.
This way is fast, and keeps a long-running terminal with history available. Also good if you have different users or authentication setup for each connection.You lose nice features like scp though.
A bit off topic but if you need to send a file from the server you are on to another one – but need to go through a middle-man and do not want to setup agent:
tar -cf – * | ssh proxyuser@proxyhost “cat – | ssh
destinationuser@destinationhost ‘cat – > file.tar'”
That will tar up a directory & send it over ssh at the same time and name it at your destination as file.tar