2

I have a network topology like this:

Laptop -> Bastion -> Destination

Bastion and Destination are EC2 instances using the same SSH key for SSH access. However, Destination cannot be accessed from the Internet. Its IP address is visible only to Bastion.

I am able to connect to the Bastion and use agent forwarding to pass the SSH key over and then connect separately from the Bastion to the Destination server. However, I'd like to configure my .ssh/config file in such a way that I can SSH to the Destination server using one command from the laptop. My current .ssh/config file looks like this:

Host Bastion Hostname <redacted> IdentityFile ~/.ssh/mykey.pem Host Destination Hostname <redacted> User ubuntu ProxyCommand ssh -A bastion-dev -W %h:%p

But when I run

ssh -A ubuntu@Destination

SSH responds with:

Permission denied (publickey). ssh_exchange_identification: Connection closed by remote host

How do I correctly pass the SSH key from my local to the Bastion server without having to store it on the server? Can I configure all this via .ssh/config file so that I can log into the Destination server with a single command?

Improve this question

1 Answer 1

Reset to default
9

Debug with one or more ssh -v flags from from the client and check the logs on the relevant server to see where the problem is.

All too frequently I have different keys for different customers, sites and projects, and I run into a MaxAuthTries setting of the remote ssh server when ssh-agent is still trying every potential key and hasn't reached the correct one yet. Check you server logs for that.

Also typically the username on my workstation won't match to the one that gets assigned on either Bastion or Destination so I prefer to set all settings explicitly in my configs. That way I won't need to use any commandline flags and can simply type ssh Destination and be done with. 

Host Bastion Hostname bastion.example.com User hbruijn-adm ForwardAgent yes AddKeysToAgent yes UseKeychain yes # Specific to OS X IdentityFile ~/.ssh/id_rsa.bastion Host Destination Hostname destination.example.com User ubuntu ForwardAgent yes AddKeysToAgent yes UseKeychain yes # Specific to OS X IdentityFile ~/.ssh/id_rsa.destination ProxyJump Bastion

ProxyJump is a relatively new setting that I find somewhat more intuitive to use then a ProxyCommand.

Improve this answer
3
  • Thank you. With your advice, I was able to debug the issue. My problem was a silly one - I was connecting to the wrong server. One that doesn't have the ubuntu user. Commented May 15, 2018 at 18:53
  • nice, didn't notice ProxyJump , elegant... Commented May 16, 2018 at 12:56
  • AFAIK you do not need to use ForwardAgent yes, actually you should set it to no instead. Because you use ProxyJump, you do not need it, and it is unsafe anyway. You should try it if that work the same. Commented Apr 12, 2019 at 20:46

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.