[LUNI] SSH Trickery

[John Mason]

On Wed, Feb 07, 2007 at 04:37:01PM -0600, Demetri Mouratis wrote:
> So, my question is this, is there some crafty way I can tell my client, 
> openssh 4.3 to do a "double ssh" for hosts in the production network, 
> first hopping through ops2, and then going to the production hosts in the 
> protected network?  I have ssh-agent forwarding enabled so this works if I 
> do so manually, e.g.:
> 
> [dmourati at demetri2 ~]$ ssh -l root ops2
> Last login: Wed Feb  7 22:22:22 2007 from mynat.snvacaid.covad.net
> [root at ops2 ~]# ssh -l root threeprodds1
> Last login: Wed Feb  7 22:18:49 2007 from ops2.lnc.rnmd.net
> Kickstart-installed on Fri Jan 26 00:55:20 GMT 2007
> [root at threeprodds1 ~]#
> 
> What I'd like is a setup that would let me get around this:
> 
> [dmourati at demetri2 ~]$ ssh -l root threeprodds1
> ssh: connect to host threeprodds1 port 22: No route to host

ssh tunnelling. I do this everyday.

ssh -N -q -f -L 30000:destinationhost:22 userid1 at bastionhost
ssh -p 30000 userid2 at localhost

where userid1 is my bastionhost userid and userid2 is my userid on the 
destination

you'll want 
NoHostAuthenticationForLocalhost=yes
in your ~/.ssh/config and you may want to define a host alias for your bastion.

you can predefine your forwards in ~/.ssh/config too, like so:

host priv
hostname bastion
	user userid1
	localforward 30000 destinationhost:22

host destination
hostname localhost
	user userid2
	port 30000

then you can pretty much just do 
ssh priv
once and
ssh destination 
to your hearti's content.

-- 
%40 <- Ceci n'est pas une @.                           John Mason - jlm at uic.edu
University of Illinois at Chicago - Academic Computing and Communcations Center
   Usenet Administrator, Listserv Administrator, Sun Software Contact et al.