ssh ProxyJump and Port Forwarding with hostbased authentication

Question

I am trying to access a compute node on a cluster via the head node of the cluster and a public entry node. The user is known on both the entry node and the head node, but not and also on the compute node. However, passwords are not available on the compute nodes. Access to the compute node is via hostbased authentication. If I do each step individually, I can login to the compute node.

However, I would like to to this with one single SSH command (since I actually just need to forward a port from the compute node to my local machine). If I do

ssh -v -J public.node.com,head.cluster.com node01

Then I get the error

debug1: Next authentication method: password
joedoe@node01's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
Permission denied, please try again.
joedoe@node01's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
Permission denied, please try again.
joedoe@node01's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: No more authentication methods to try.
joedoe@node01: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,hostbased).
debug1: channel 0: free: direct-tcpip: listening port 0 for node01 port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
Killed by signal 1.
debug1: channel 0: free: direct-tcpip: listening port 0 for head.cluster.com port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
Killed by signal 1.

How can I stop the failure of the authentication method password from preventing hostbased being considered?

Answer 1

As far as I know host based authentication is disabled by default in both ssh client and server. In addition to enabling that from your node01 sshd configuration, it must also have been enabled in the head.cluster.com global ssh client configuration.

From the explanation on how ssh host based authentication works here: https://hea-www.harvard.edu/~fine/Tech/ssh-host-based.html

Host based authentication relies on the ssh-keysign helper program to access the local host keys and to generate the digital signature required during host-based authentication.

Your problem is probably that the ssh client configuration from head.cluster.com is not used when using ProxyJump, only the ssh client configuration from your local machine is used. And on your local machine both host based authentication is disabled and there you don't have acces to the required private keys from head.cluster.com.

Just setting HostbasedAuthentication yes on your local machine will therefor not be sufficient.

I think you can't avoid actually starting the ssh client on head.cluster.com.

Thus rather than using the ProxyJump all the way, you can only use that option for reaching head.cluster.com and then you need launch ssh from there.
But you can still do that in a single command :

 ssh -tt -J public.node.com head.cluster.com ssh -tt node01

The multiple -tt options force tty allocation, even if ssh has no local tty.

Adding port forwarding on top of that is left as exercise for the reader. (In other words, I have no idea and no desire to find out.)

Answer 2

I managed to achieve what I wanted with the following:

ssh -N joeblow@head.cluster.com -J public.node.com -L 12345:node01:12345

So I am just logging into the head node via the jump host and then forwarding my local port to that of the cluster node. The hostbased authentication allows the forwarding to work without a password being needed for the cluster node. I hadn't realized that the host involved in the port forwarding can be a third host which is neither the main argument to ssh nor the jump host and in my case is the cluster node.