2

I'm trying to connect to a number of hosts using pssh in combination with a jump host and ssh-agent key forwarding.

Unfortunately this fails quiet regular, but with different hosts failing on. So this is only an example which would look different next time: 

 ~> pssh -h /tmp/hostfile -o /tmp/log -e /tmp/error/ -v uname -a [1] 13:51:18 [FAILURE] host1 Exited with error code 255 [2] 13:51:19 [SUCCESS] host2 [3] 13:51:19 [SUCCESS] host3 [4] 13:51:19 [SUCCESS] host4 [5] 13:51:19 [SUCCESS] host5 [6] 13:51:19 [SUCCESS] host6 [7] 13:51:19 [SUCCESS] host7 …. [16] 13:51:19 [SUCCESS] host16

When having a deeper look, I'm getting 

ssh_exchange_identification: Connection closed by remote host ssh_exchange_identification: Connection closed by remote host

on the host that failed. This looks much like the ssh-agent keyforwarding via jump host did not work in this particular scenario.

Inside my ~.ssh/config it looks like this:

ForwardAgent yes Host *.tld.foo User frlan ProxyCommand ssh tld-jump-host nc %h %p Host tld-jump-host HostName myhost.example.com User frlan ProxyCommand none

Usually this is working. Now I'm wondering why starting at about 15 hosts sometime the key is not forwarded an dhow I can upgrade my configuration to prevent this from happening.

Improve this question

1 Answer 1

Reset to default
2

I'm trying to connect to a number of hosts using pssh in combination with a jump host and ssh-agent key forwarding.

For connections using ProxyCommand you do not need any ssh-agent forwarding. All the authentication is done directly from your computer.

Manual page for ssh_config says

For each parameter, the first obtained value will be used.

therefore the Host tld-jump-host block should be before Host *.tld.foo block, especially if the jump box has the same tld as the hosts behind it.

If you are connecting to many hosts behind this jump box, you might be triggering connection limit and the connections will get randomly rejected. You can try to avoid it by bumping the connection rate limit in jumpbox server (MaxStartups option in sshd_config), or multiplex the connections to the jump box by creating directory ~/.ssh/cm/ and adding the following to the jumbox block in ssh_config:

ControlMaster auto ControlPath ~/.ssh/cm/%C ControlPersist 5m
Improve this answer
5
  • I changed sorting of the options which did not solve the issue. Also ForwardAgent triggering did not change anything. Commented Jul 10, 2017 at 12:19
  • Probable issue is that you are connecting to the jumphost multiple times, which triggers connection rejection (too many connections -- you would be able to see such error in the server log). Try to use connection multiplexing (I will update the answer). Commented Jul 10, 2017 at 12:21
  • I did not see any error on jump host inside e.g. auth.log — but the controlmaster-configs did solve it (at least for tests I did). Commented Jul 10, 2017 at 12:27
  • It might be in verbose/debug logs ... I am not sure now. Clearly with control master you should get significantly better performance. Commented Jul 10, 2017 at 12:28
  • I will test it a little more. Meanwhile just +1 for the help Commented Jul 10, 2017 at 12:38

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.