4

So I'm essentially trying to do this:

ssh bob2@35.192.152.35 -t ssh bob2@test-vm

the above works fine if I just put it into the terminal, however I am having a hard time trying to replicate it via the .ssh config file.

Here's what I have inside the config file:

Host bastion
     HostName 35.192.152.35
     User bob2

Host test-vm
     User bob2
     FOrwardAgent yes
     ProxyCommand ssh bastion nc %h %p 2> /dev/null

However it comes up with an error saying "permission denied", invalid public key file? I came up with the above from this post: https://unix.stackexchange.com/questions/124078/how-to-ssh-to-a-server-using-another-server-with-key-from-the-second-server

Somehow it worked for the guy, but doesn't seem to work for me. I also tried allowing agent forwarding and TCP forwarding in the sshd_chroot config as well on all parties (origin, bastion, and server), but that didn't make a difference.

if I force specify the identity paths:

Host bastion
     HostName 35.192.152.35
     User bob2
     IdentityFile /Users/bob/.ssh/id_rsa

Host test-vm
     User bob2
     FOrwardAgent yes
     ProxyCommand ssh bastion nc %h %p 2> /dev/null
     IdentityFile /home/bob2/.ssh/id_ed25519

Then it comes up with the same error, in addition to saying that it couldn't find the directory "/home/bob2/.ssh/id_ed25519"

Anyone got any ideas?

Dmytro Lysak
  • 141
  • I think you should use ProxyJump ssh bob2@test-vm – John Hanley Apr 27 '22 at 10:17
  • @JohnHanley, not sure what you mean, replace the ProxyCommand with the proxyjump you suggested? It just gives me "ssh: Could not resolve hostname bob2: nodename nor servname provided..." – Dmytro Lysak Apr 27 '22 at 18:59
  • I need to see exactly how you are using that command. Most likely you have not specified Hostname for the jump server. Edit your question with details. – John Hanley Apr 27 '22 at 19:07
  • @JohnHanley , no that's exactly the same configuration, I have a VM on GCP called test-vm, and another VM on gcp called bastion, and I'm trying to ssh to the test-vm from my macbook via the bastion, using the ssh key from bastion > test-vm. A host name isn't required for test-vm due to on gcp you are able to ssh to other VMs on the same subnet via just the hostname rather than IP address. I did try with the IP address specified for test-vm as well though. – Dmytro Lysak Apr 27 '22 at 20:07

3 Answers3

1

Once you realize that bastions are for defeating network firewalls and not for storing keys, you can change this into a 2 command solution with minimal config.

On A, your local machine, make sure you have a ssh-agent running.

Do a one time command to B, where B has the following config:

Host B
        ForwardAgent yes
        User proxyuser

And run the following command:

$ ssh B ssh-add # and possibly a reference to a non-standard key

At this point your local ssh-agent will have the remote key in its cache.

Afterwards a plain -J or ProxyJump to C will 'just work':

Host C
        User user
        ProxyJump proxyuser@B

$ ssh C

With the slight inconvenience of an extra one-time command, you can keep your config pretty sane IMO.

You could ask yourself the question if storing the key on the bastion really provides you with extra safety if it's going to get cached on your local machine anyway. Of course there is a slight benefit of not having the key stored on disk, but if your local machine is hacked there is not much difference in reading a file, or communicating with a ssh-agent loaded with keys.

hbogert
  • 440
  • if storing the key on the bastion really provides you with extra safety — of course it doesn't. The question is basically about "how to do everything as wrong as possible". To be honest, the only proper answer to this question could be "you never store private keys on the bastion, period". – Nikita Kipriyanov Dec 16 '23 at 16:50
0

It seems that you want your config let test-vm look for key in bastion. So I suggest:

  1. Copy key file to bob2’s .ssh folder in bastion.
  2. add ProxyCommand with ssh-add in your config.
3735943886
  • 71
  • Bob2's key file is already in bastion, that's why "ssh bob2@35.192.152.35 -t ssh bob2@test-vm" works but for some reason trying to replicate that in the config file doesn't. – Dmytro Lysak Apr 27 '22 at 19:02
  • Then try place test-vm’s key into client’s folder and change IdentityFile /home/bob2/.ssh/id_ed25519 to IdentityFile /Users/bob/.ssh/id_ed25519 from last configuration. – 3735943886 Apr 27 '22 at 20:53
  • I'm not exactly sure what you're asking, I am not allowed to move any of the keys between the servers, the test-vm has to use keys from the bastion, and the bastion cannot have any keys from the origin. – Dmytro Lysak Apr 27 '22 at 20:56
  • I found a similar question. Would you try solutions there? I think you need ssh-add in your configuration. https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b – 3735943886 Apr 27 '22 at 21:00
  • I tried that one before submitting this question as well, sadly it doesn't work, gives me the same error. Maybe the ssh command works slightly differently on MacOS? Maybe that's why it doesn't work for me? – Dmytro Lysak Apr 28 '22 at 06:50
-1

Below works for me ... Almost same as yours except I do specify the IP address of final destination (maybe not relevant in your case) and I HAD TO COPY the key from the bastion to my local host as my ssh_config is finding key files here not on the bastion midway :

==== added to .ssh/config ====
Host mybastion
    HostName 133.35.41.9
    User bastuser
    IdentityFile /Users/bchapman/.ssh/bast_priv.key

Host mytarget
    HostName 109.0.1.38
    ProxyCommand ssh -q -W %h:%p mybastion
    User targuser
    IdentityFile /Users/bchapman/.ssh/targ_priv.key
==============

After that I can ssh mytarget, scp localfile mytarget:, etc just fine

Bruce Chapman
  • 1