4

So I'm essentially trying to do this:

ssh [email protected] -t ssh bob2@test-vm

the above works fine if I just put it into the terminal, however I am having a hard time trying to replicate it via the .ssh config file.

Here's what I have inside the config file:

Host bastion HostName 35.192.152.35 User bob2 Host test-vm User bob2 FOrwardAgent yes ProxyCommand ssh bastion nc %h %p 2> /dev/null

However it comes up with an error saying "permission denied", invalid public key file? I came up with the above from this post: https://unix.stackexchange.com/questions/124078/how-to-ssh-to-a-server-using-another-server-with-key-from-the-second-server

Somehow it worked for the guy, but doesn't seem to work for me. I also tried allowing agent forwarding and TCP forwarding in the sshd_chroot config as well on all parties (origin, bastion, and server), but that didn't make a difference.

if I force specify the identity paths:

Host bastion HostName 35.192.152.35 User bob2 IdentityFile /Users/bob/.ssh/id_rsa Host test-vm User bob2 FOrwardAgent yes ProxyCommand ssh bastion nc %h %p 2> /dev/null IdentityFile /home/bob2/.ssh/id_ed25519

Then it comes up with the same error, in addition to saying that it couldn't find the directory "/home/bob2/.ssh/id_ed25519"

Anyone got any ideas?

Improve this question
4
  • I think you should use ProxyJump ssh bob2@test-vm Commented Apr 27, 2022 at 10:17
  • @JohnHanley, not sure what you mean, replace the ProxyCommand with the proxyjump you suggested? It just gives me "ssh: Could not resolve hostname bob2: nodename nor servname provided..." Commented Apr 27, 2022 at 18:59
  • I need to see exactly how you are using that command. Most likely you have not specified Hostname for the jump server. Edit your question with details. Commented Apr 27, 2022 at 19:07
  • @JohnHanley , no that's exactly the same configuration, I have a VM on GCP called test-vm, and another VM on gcp called bastion, and I'm trying to ssh to the test-vm from my macbook via the bastion, using the ssh key from bastion > test-vm. A host name isn't required for test-vm due to on gcp you are able to ssh to other VMs on the same subnet via just the hostname rather than IP address. I did try with the IP address specified for test-vm as well though. Commented Apr 27, 2022 at 20:07

3 Answers 3

Reset to default
1

Once you realize that bastions are for defeating network firewalls and not for storing keys, you can change this into a 2 command solution with minimal config.

On A, your local machine, make sure you have a ssh-agent running.

Do a one time command to B, where B has the following config:

Host B ForwardAgent yes User proxyuser

And run the following command:

$ ssh B ssh-add # and possibly a reference to a non-standard key

At this point your local ssh-agent will have the remote key in its cache.

Afterwards a plain -J or ProxyJump to C will 'just work':

Host C User user ProxyJump proxyuser@B 
$ ssh C

With the slight inconvenience of an extra one-time command, you can keep your config pretty sane IMO.

You could ask yourself the question if storing the key on the bastion really provides you with extra safety if it's going to get cached on your local machine anyway. Of course there is a slight benefit of not having the key stored on disk, but if your local machine is hacked there is not much difference in reading a file, or communicating with a ssh-agent loaded with keys.

Improve this answer
1
  • if storing the key on the bastion really provides you with extra safety — of course it doesn't. The question is basically about "how to do everything as wrong as possible". To be honest, the only proper answer to this question could be "you never store private keys on the bastion, period". Commented Dec 16, 2023 at 16:50
0

It seems that you want your config let test-vm look for key in bastion. So I suggest:

  1. Copy key file to bob2’s .ssh folder in bastion.
  2. add ProxyCommand with ssh-add in your config.
Improve this answer
5
  • Bob2's key file is already in bastion, that's why "ssh [email protected] -t ssh bob2@test-vm" works but for some reason trying to replicate that in the config file doesn't. Commented Apr 27, 2022 at 19:02
  • Then try place test-vm’s key into client’s folder and change IdentityFile /home/bob2/.ssh/id_ed25519 to IdentityFile /Users/bob/.ssh/id_ed25519 from last configuration. Commented Apr 27, 2022 at 20:53
  • I'm not exactly sure what you're asking, I am not allowed to move any of the keys between the servers, the test-vm has to use keys from the bastion, and the bastion cannot have any keys from the origin. Commented Apr 27, 2022 at 20:56
  • I found a similar question. Would you try solutions there? I think you need ssh-add in your configuration. serverfault.com/questions/337274/… Commented Apr 27, 2022 at 21:00
  • I tried that one before submitting this question as well, sadly it doesn't work, gives me the same error. Maybe the ssh command works slightly differently on MacOS? Maybe that's why it doesn't work for me? Commented Apr 28, 2022 at 6:50
-1

Below works for me ... Almost same as yours except I do specify the IP address of final destination (maybe not relevant in your case) and I HAD TO COPY the key from the bastion to my local host as my ssh_config is finding key files here not on the bastion midway :

==== added to .ssh/config ==== Host mybastion HostName 133.35.41.9 User bastuser IdentityFile /Users/bchapman/.ssh/bast_priv.key Host mytarget HostName 109.0.1.38 ProxyCommand ssh -q -W %h:%p mybastion User targuser IdentityFile /Users/bchapman/.ssh/targ_priv.key ==============

After that I can ssh mytarget, scp localfile mytarget:, etc just fine

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.