Re: Multi Hopping by sshserver proxy with different keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen,

The problem is that my target key is on the gateway bastion host !
The client don't have it. Moreover, the bastion's keys are protected by
passphrases and served by ssh-agent. So can't do any agentforwarding at
all..

Otherwise, I've never succeeded in having key exchange between bastion
and target while netcating in a proxycommand. It's ending systematically
with an interactive password prompt (not passphrase).

Of course the "ssh -t bastion ssh -t target" works well but I don't want
to do it like that because I use a putty client which won't behave
ergonomically if used that way.
The same idea applies to your - however excellent - hackery you made
with exclamation ! (I'm on Putty... Sorry for that).

Once again this is a schematic view of what I want :

Windows             Linux               Linux
  |                   |                   |
Putty            OpenSSH_5.6p1      Openssh any version
  |                   |                   |
Client ----------> Bastion ----------> Target
  \_________________/   \________________/
     Client's Key         bastion's key
       (Pagent)             (ssh-agent)

Summarizing my needs taking a similarity view like agentforwarding :
I'd like to have an ssh-agent hopping.



-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Stephen Dowdy <sdowdy@xxxxxxxx>
Pour : Nicolas Ferragu <nicolas.ferragu@xxxxxxxxxx>
Copie à : secureshell@xxxxxxxxxxxxxxxxx
Date : 23/09/2010 19:26

> Nicolas,
> 
> If i understand your request, fully...
> 
> I'll give you some info for OpenSSH (which you could use via Cygwin
> on your windows client), but i don't know if PuTTY has similar
> capability. (clearly, you've discovered plink.exe can do similar
> things) (while this info may not apply directly to your problem, i
> figure it'll be of general interest)
> 
> ----------------
> Host bastion
>     IdentityFile    ~/.ssh/bastionkey
>     User bastionuser
> 
> Host target
>     IdentityFile    ~/.ssh/targetkey
>     User targetuser
>     ProxyCommand ssh bastion nc target 22
> ----------------
> 
> If you have both keys on the client, a
> 
>     ssh target
> 
> will "do the right thing(tm)" here by finding the target directive,
> indirectly resolving to a bastion connection using the bastion key,
> then piggy-backing on the established bastion connection's netcat
> link to the target and applying the target key.
> 
> OpenSSH 5.5 or so has a builtin 'netcat' like facility using
> '-W target:port', i haven't started using that yet, as my normal
> systems (Debian Lenny) don't have that version.
> 
> 
> Here's some hackery i have in my ~/.ssh/config file:
> 
> -----------------------
> # Multi-(user+host) arbitrary gateway hopping
> #       usera%hosta!userb%hostb[!userc%hostc...]
> # STILL requires using '-l userd' for destination user on command line (i.e. we ignore last
> # user in specification
> # e.g.  ssh -l root sdowdy@zia!root@umds0-vgw
> Host    *!*
>     GatewayPorts no
>     ProxyCommand $(h="%h";p="%p";ruh=${h##*\!};rh=${ruh##*\%%};ru=${ruh%%\%%*};ru=${ru:-${USER}};luh=${h%%\!*};lh=${luh##*\%%};lu=${luh%%\%%*};lu=${lu:-${USER}};echo ssh -l ${lu} ${lh} "\`type -p netcat nc | head -1\` ${rh} 22")
> # h=host, p=port (expanded by openssh cmdline
> # ruh,rh,ru=remote user+host, remote host, remote user (successively pulled off right-hand-side)
> # luh,lh,lu=local user+host, local host, local user (pulled off left-hand-side)
> # 
> -----------------------
> This directive allows you, if you use a Bourne-Shell/posix-shell to
> hop via an arbitrary number of [user@]host[!...] connections via
> iterative deconstruction of the target specified within openssh.
> If you have any required keys in your client ssh-agent, they'll be
> appropriately applied down the chain. (be careful of shell
> meta-character expansion of '!' -- I chose that after initially
> having chosen '::' as the gateway delimiterd (DECnet style
> poor-mans routing), and finding that while it worked for 'ssh',
> it DOESN'T work for scp.  '!' works for both ssh and scp.
> You can use some other separator like "_", which isn't valid
> DNS.
> 
> the \`type -p netcat nc | head -1\` is simply used to work on SLES
> and *ever other* linux distro, since SLES uses 'netcat' (nc on SLES
> is something else).  That whole thing can be replaced with simply
> 'nc' if you don't need to deal with SLES. (and that's the primary
> requirement for a Bourne-alike shell.
> 
> 
> If i'm using the "bastion" (gateway) host frequently for multiple
> connections (i have a number of systems that have a backend RFC1918
> network of compute nodes or data servers), i may use ControlMasters
> like:
> 
> Host gw1-* gw2-*
>     User            blah
>     NumberOfPasswordPrompts 1
>     ConnectTimeout  60
>     ControlMaster   auto
>     ControlPath     ~/.ssh/%r@%h:%p.sock
> 
> That way, i only authenticate once on the gateway host and use that
> ControlMaster connection as the piggyback for subsequent connections
> to that gateway and any hosts residing behind it.  This is mainly
> useful on systems where i'm required to enter a password, instead
> of using authorized-key trust.
> 
> --stephen
> 

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.




[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux