SSH Jump Host WITHOUT Agent Forwarding

Question

Although a simple question, I have searched for days without success.

M = My machine J = Jump Host S = Server Jump Host has my public key on authorized_keys. Server has J's public key on authorized_keys. Allowed connections (due to key authentication): M -> J J -> S 

How is it possible for me to ssh into S from my machine?

My current configuration is:

host jump user root HostName x.x.x.x host server user root HostName x.x.x.x port 22 ForwardAgent no ProxyCommand ssh jump -W %h:%p 

It does not work as it tries to login with M's key.

Here's the ssh log

debug1: Host 'x.x.x.x' is known and matches the ECDSA host key. debug1: Found key in /Users/xxxxx/.ssh/known_hosts:1542 ... debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/xxxxx/.ssh/id_rsa debug1: Authentications that can continue: publickey debug1: Trying private key: /Users/xxxxx/.ssh/id_dsa debug1: Trying private key: /Users/xxxxx/.ssh/id_ecdsa debug1: Trying private key: /Users/xxxxx/.ssh/id_ed25519 debug1: No more authentication methods to try. Permission denied (publickey). Killed by signal 1. 

Answer 1

The problem is that it's trying to use my key (M) to authenticate in S when it's supposed to use J's key. I cannot specify the key to use with IdentityFile give it's on J and not on my machine.

Well that is your problem. The connection to both the jump host, and the final destination are initiated directly from your client in this setup. Your client must have the correct key for both systems.

The ssh jump -W %h:%p in the proxy command starts a ssh session to your jump host, but doesn't create a shell, it just creates a tunnel directly to the destination host. Then your client makes an ssh to the tunnel. At no point is a shell started on the jump host that would let you access any keys stored on that intermediate host in this type of setup. Messing around with forwarding doesn't do anything. No forwarding is used to initiate the connection.

Answer 2

You don't log into the firewall, that's a network appliance that restricts packets. It's basically invisible in this scenario. It has to be configured to allow your packets to reach your bastion host (jumphost) server, which is port 22 in and probably high range ports out.

You log directly into the server, so it needs to be configured to allow this. Test this from another machine on the same network. From this bastion host you can log into machines that it's protecting in your private subnets.

Update based on further information You don't need the bastion / jump host key in the target server, you need your key. It's not the bastion trying to access the server, it's a user, ie you.

Take a step back. Make sure you can access the target server using ssh from another server in the same subnet, using your key. Then try it from the bastion host.