Join Log in
Score:0
Dmytro Lysak avatar Server

How to ssh to a server via bastion(proxy) with key from the bastion(proxy) NOT origin

ma flag
Dmytro Lysak

So I'm essentially trying to do this:

ssh [email protected] -t ssh bob2@test-vm

the above works fine if I just put it into the terminal, however I am having a hard time trying to replicate it via the .ssh config file.

Here's what I have inside the config file:

Host bastion
     HostName 35.192.152.35
     User bob2

Host test-vm
     User bob2
     FOrwardAgent yes
     ProxyCommand ssh bastion nc %h %p 2> /dev/null

However it comes up with an error saying "permission denied", invalid public key file? I came up with the above from this post: https://unix.stackexchange.com/questions/124078/how-to-ssh-to-a-server-using-another-server-with-key-from-the-second-server

Somehow it worked for the guy, but doesn't seem to work for me. I also tried allowing agent forwarding and TCP forwarding in the sshd_chroot config as well on all parties (origin, bastion, and server), but that didn't make a difference.

if I force specify the identity paths:

Host bastion
     HostName 35.192.152.35
     User bob2
     IdentityFile /Users/bob/.ssh/id_rsa

Host test-vm
     User bob2
     FOrwardAgent yes
     ProxyCommand ssh bastion nc %h %p 2> /dev/null
     IdentityFile /home/bob2/.ssh/id_ed25519

Then it comes up with the same error, in addition to saying that it couldn't find the directory "/home/bob2/.ssh/id_ed25519"

Anyone got any ideas?

86
0 + 0
ssh
John Hanley avatar
cn flag
John Hanley
I think you should use **ProxyJump ssh bob2@test-vm**
0
Reply
Dmytro Lysak avatar
ma flag
Dmytro Lysak
@JohnHanley, not sure what you mean, replace the ProxyCommand with the proxyjump you suggested? It just gives me "ssh: Could not resolve hostname bob2: nodename nor servname provided..."
0
Reply
John Hanley avatar
cn flag
John Hanley
I need to see exactly how you are using that command. Most likely you have not specified Hostname for the jump server. Edit your question with details.
0
Reply
Dmytro Lysak avatar
ma flag
Dmytro Lysak
@JohnHanley , no that's exactly the same configuration, I have a VM on GCP called test-vm, and another VM on gcp called bastion, and I'm trying to ssh to the test-vm from my macbook via the bastion, using the ssh key from bastion > test-vm. A host name isn't required for test-vm due to on gcp you are able to ssh to other VMs on the same subnet via just the hostname rather than IP address. I did try with the IP address specified for test-vm as well though.
0
Reply
Score:0
Bruce Chapman avatar Server
pr flag
Bruce Chapman

Below works for me ... Almost same as yours except I do specify the IP address of final destination (maybe not relevant in your case) and I HAD TO COPY the key from the bastion to my local host as my ssh_config is finding key files here not on the bastion midway :

==== added to .ssh/config ====
Host mybastion
    HostName 133.35.41.9
    User bastuser
    IdentityFile /Users/bchapman/.ssh/bast_priv.key

Host mytarget
    HostName 109.0.1.38
    ProxyCommand ssh -q -W %h:%p mybastion
    User targuser
    IdentityFile /Users/bchapman/.ssh/targ_priv.key
==============

After that I can ssh mytarget, scp localfile mytarget:, etc just fine

+ 0
Score:0
avatar Server
cn flag
3735943886

It seems that you want your config let test-vm look for key in bastion. So I suggest:

  1. Copy key file to bob2’s .ssh folder in bastion.
  2. add ProxyCommand with ssh-add in your config.
0 + 0
Dmytro Lysak avatar
ma flag
Dmytro Lysak
Bob2's key file is already in bastion, that's why "ssh [email protected] -t ssh bob2@test-vm" works but for some reason trying to replicate that in the config file doesn't.
0
Reply
cn flag
3735943886
Then try place test-vm’s key into client’s folder and change `IdentityFile /home/bob2/.ssh/id_ed25519` to `IdentityFile /Users/bob/.ssh/id_ed25519` from last configuration.
0
Reply
Dmytro Lysak avatar
ma flag
Dmytro Lysak
I'm not exactly sure what you're asking, I am not allowed to move any of the keys between the servers, the test-vm has to use keys from the bastion, and the bastion cannot have any keys from the origin.
0
Reply
cn flag
3735943886
I found a similar question. Would you try solutions there? I think you need ssh-add in your configuration. https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b
0
Reply
Dmytro Lysak avatar
ma flag
Dmytro Lysak
I tried that one before submitting this question as well, sadly it doesn't work, gives me the same error. Maybe the ssh command works slightly differently on MacOS? Maybe that's why it doesn't work for me?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.