Re^2: ssh chain

Ah yes, but...

ssh -t shmem@gateway ssh -t admin@host.example.com \
  ssh -t wrxd15@192.168.123.2 ssh -t root@192.168.254.2
[download]

... I don't have the password for wrxd15@192.168.123.2, nor is this user allowed to login to 192.168.254.2 as root. The root passwords are generally unknown. It's my public key that is installed on each of these accounts in ~/.ssh/authorized_keys2, and my private key certainly won't leave my machine.

Furthermore, with a complex network setup, and being forced to use multiple ways to connect to a remote site - that occurs generally after a service down alert has arrived - entries in ~/.ssh/config aren't that useful for me.

I whipped the above cruft up because I need tunneling and forwarding of arbitrary local/remote ports to/from the remote host with changing requirements.

I need

              host1      host2      host3
            +-------+  +-------+  +-------+
ssh 1 ----------\   |  |       |  |       |
ssh 2 ---------------------\   |  |       |
ssh 3 ================================>   |
ssh 2 ---------------------/   |  |       |
ssh 1 ----------/   |  |       |  |       |
            +-------+  +-------+  +-------+
[download]

rather than

              host1      host2      host3
            +-------+  +-------+  +-------+
            |       |  |       |  |       |  
            |       |  |       |  |       |  
ssh 1 ======> ssh 2 ===> ssh 3 =======>   |
            |       |  |       |  |       |  
            |       |  |       |  |       |  
            +-------+  +-------+  +-------+
[download]

The most insane thing I do sometimes is tunneling a complete network via ppp through 5+ chained ssh's:

              host1      host2      host3     | |
            +-------+  +-------+  +-------+   | |
ssh 1 ---------\    |  |       |  | proxy |   |n|
ssh 2 --------------------\    |  |   arp |   |e|
ssh 3 --------------------------------\  \|   |t|
ppp ===== compress ======================^===== |
ssh 3 --------------------------------/   |   |w|
ssh 2 --------------------/    |  |       |   |o|
ssh 1 ---------/    |  |       |  |       |   |r|
            +-------+  +-------+  +-------+   |k|
[download]

</update>

--shmem

_($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}

Comment on Re^2: ssh chain Select or Download Code

Replies are listed 'Best First'.
Re^3: ssh chain by nigelm (Initiate) on Sep 30, 2006 at 08:38 UTC
This would appear to be an absolutely classic case for using agent forwarding. The TCP forwarding method is a little more resistant to interception on the intermediate hosts by someone with root privs, but this is pretty marginal in most situations. Personally I would (and do, frequently) use a chain of ssh with agent forwarding to get this effect.	[reply]