[LUNI] SSH Trickery

[Demetri Mouratis]

Hi,

While I'm normally the one proposing SSH tricks like the one I'm after, I 
thought I would throw this one out there for discussion.

I have an office network, to which my, my boss's, and my entire 
engineering team's PCs are connected.  This network sits behind a NAT 
firewall and is locally addressed in RFC 1918 space.  We have a colo 
facility, with a number of Linux boxes and several networks laid out as 
VLANs.  One network is for the production hosts, and there is a second 
network we refer to as an admin network.  We run monitoring, logging, and 
other administrative processes from an ops2 server in this admin network 
against production, including SSH.  We want to prevent our Eng team from 
accessing the production network while still allowing my group, 
Operations, to do their jobs.

SSH access is allowed from the office network to the admin network, but 
only my boss and I have authentication via SSH keys.

So, my question is this, is there some crafty way I can tell my client, 
openssh 4.3 to do a "double ssh" for hosts in the production network, 
first hopping through ops2, and then going to the production hosts in the 
protected network?  I have ssh-agent forwarding enabled so this works if I 
do so manually, e.g.:

[dmourati at demetri2 ~]$ ssh -l root ops2
Last login: Wed Feb  7 22:22:22 2007 from mynat.snvacaid.covad.net
[root at ops2 ~]# ssh -l root threeprodds1
Last login: Wed Feb  7 22:18:49 2007 from ops2.lnc.rnmd.net
Kickstart-installed on Fri Jan 26 00:55:20 GMT 2007
[root at threeprodds1 ~]#

What I'd like is a setup that would let me get around this:

[dmourati at demetri2 ~]$ ssh -l root threeprodds1
ssh: connect to host threeprodds1 port 22: No route to host

Any tips greatly appreciated.

Thanks.

-D