Tunnel an SSH connection transparently (no ProxyCommand)

Question

Here's the scenario: the user runs "ssh -i sshkey user@server1". I want the SSH connection to be tunneled through server1 to server2. Normally, the user could do this himself using:

ssh -i sshkey user@server1 -o 'ProxyCommand /bin/nc server2 22'

However, I don't want the user to set up the proxy themselves, using ssh command-line arguments or even ssh_config changes. As sysadmin, I want to be able to redirect a user's SSH session to a different server transparently. All solutions I've found so far require ProxyCommand. Is there a way for me to accomplish this?

Note that the user is using SSH keys, not username/password, so those credentials need to be passed on to server2.

Answer 1

I can think of two ways to do this:

Forced command in the user's AuthorizedKeysFile (i.e. ~/.ssh/authorzied_keys) on server1:

The entry would look like

command="ssh server2" ssh-rsa AAAA...[rest of sshkey.pub]

Then the command ssh -i sshkey server1 will send the user directly to server2.

Or, change the users' shell on server1 by setting it to something like /bin/proxyshell, the contents of which will be:

#!/bin/bash
ssh server2

Answer 2

I suspect that the question contains a misunderstanding on the use of SSH's ProxyCommand.

The ProxyCommand cannot be used to connect to server2 via server1, but to connect to server1 via the given command (which may involve server2, e.g., as a proxy). This command will need its own way of authenticating to server2 (see, e.g, https://stackoverflow.com/questions/1040089/how-do-i-use-github-through-harsh-proxies for various options to authenticate to a web proxy).
If the ProxyCommand succeeds to connect to server1, the user will be authenticated there in the usual way(s).