1

I need to write a script for some co-workers to connect over the following topology, using a private key for authentication (the same key for each person works on both bastion and db access):

 ┌────────────┐    ┌────────────┐     ┌────────────┐     ┌────────────┐
 │            │    │            │     │            │     │            │
 │  desktop   │───>│  bastion   │────>│  db access │────>│  db 3306   │
 │  (windows) │    │  (linux)   │     │  (linux)   │     │  (mysql)   │
 └────────────┘    └────────────┘     └────────────┘     └────────────┘

My co-workers will then use this connection in a desktop db query tool.

To make this as easy to deploy as possible, I want to specify all the configuration on the command line without referring to any saved session data configured in the Putty UI. I have .ppk files for the private keys that the script can refer to.

What is the (probably very lengthy) putty and/or plink command line that will enable this?

From my interpretation of the manual, I've tried this:

plink -ssh -2  -i C:\temp\key.ppk -agent -A -t -l user -L 6035:127.0.0.1:6035 user@BASTION ssh -v -L 6035:DBHOST:3306 user@DBACCESS

That gets me to the bastion, but it then looks for a private key on the bastion to make the connection to db access.

I am able to connect to it with ssh from my Mac (code shown below), so I know that the current configuration of the boxes permits this kind of access. I am looking for a putty/plink solution for use for access from windows boxes.

ssh -v -A -t \
-L ${LOCAL_PORT}:localhost:${LOCAL_PORT} ${USER}@${BASTION_HOST} \
-t ssh -v -L ${LOCAL_PORT}:${DB_HOST}:${DB_PORT} ${USER}@${DB_ACCESS_HOST}
foundart
  • 111
  • 1
  • 3
  • 1
    What have you tried to work out on your own so far? Where are you stuck? Here plink manual. http://the.earth.li/~sgtatham/putty/0.63/htmldoc/Chapter7.html#plink – Zoredache Oct 06 '16 at 19:33
  • When connecting to the db access host, it's looking for a private key on the bastion host to send, rather than passing through the original key. – foundart Oct 07 '16 at 02:15
  • Issue this command after connecting to each of the hosts & you should be ok `grep ^AuthorizedKeysFile /etc/ssh/sshd_config | awk '{print $2}' | xargs -I{} sh -c 'ssh-add -L >> {}; sort -u {} -o {}';echo "ForwardAgent yes" >~/.ssh/config` – Anubioz Oct 07 '16 at 02:20
  • @Anubioz Thanks, but this for a windows box, so your solution doesn't apply here. And no cygwin. I'm trying to script a solution with minimal installation requirements for non-technical users. – foundart Oct 07 '16 at 03:57
  • You run that command on linux after your login there with putty – Anubioz Oct 07 '16 at 04:04
  • 1
    And if you need a solution with minimal requeerments, you really should look into OpenVPN/StrongSwan – Anubioz Oct 07 '16 at 04:08
  • Doh! Thanks for the clarification @Anubioz. I can give that a try but, fundamentally, I'm trying to reproduce in putty/plink on Windows what I can do with ssh from a unix client, which certainly doesn't involve that kind of modification. It seems like it should be possible...I just can't quite get it. – foundart Oct 07 '16 at 04:08
  • I'm actually trying this tunnel approach as an alternative to OpenVPN. Previous users have had too much trouble connecting to it. – foundart Oct 07 '16 at 04:11
  • 1
    One of the hosts which is in your chain has ssh agent forwarding disabled, that's why instead of authorizing with your source key it searches for it in the linux machine. Manually logging in & running that command I gave you will enable agent forwarding in linux boxes and add your windows keys to the trusted ones. To accomplish all that make sure your putty is configured for both password & key auth. And you must be running pagent with that key you want to add... – Anubioz Oct 07 '16 at 04:14
  • @Anubioz following your suggestion of starting pageant solved the problem. If you put that into an answer, I'll accept it. Thanks! – foundart Oct 07 '16 at 19:27
  • Sure, I'll do it in a few hours :) – Anubioz Oct 07 '16 at 19:34

1 Answers1

2

With the release of PuTTY 0.68 plink got a new command line option called -proxycmd. Using this new functionality yields a more robust less cluttered solution to the problem IMHO.

Unfortunately there is not much help for the -proxycmd option. It does execute a local command and uses it as a proxy. One can use even plink with the -nc option to create a tunnel up to the db access host.

For your topology the command executed on desktop machines this on the command prompt looks like this:

plink -A ^
  -proxycmd "plink -A -nc DBACCESS:22 user@BASTION" ^
  -L 6035:DBHOST:3306 ^
  user@DBACCESS

Note: For a password less login peagent must be running on the desktop host and have the appropriate keys loaded. As already mentioned in the comments, agent forwarding must be enabled on the bastion hosts to make it work seamlessly.

The connection looks like the ASCII art below. An outer tunnel goes up to the host db access via the proxy command. Encapsulated in the tunnel runs plink and establishes the port forward to the db host. 

 ┌────────────┐    ┌────────────┐    ┌────────────┐    ┌────────────┐
 │            │    │            │    │            │    │            │
 │            ─────────────────────────────       │    │            │
 │                      (1)                       │    │            │  
 │           ────────────────────────────────────────────           │
 │                      (2)                                         │
 │           ────────────────────────────────────────────           │
 │            ─────────────────────────────       │    │            │
 │  desktop   │    │  bastion   │    │  db access │    │  db 3306   │
 │  (windows) │    │  (linux)   │    │  (linux)   │    │  (mysql)   │
 └────────────┘    └────────────┘    └────────────┘    └────────────┘

 1) Tunnel via `-proxycmd "plink -A -nc DBACCESS:22 user@BASTION"`
 2) Proxied `plink` connection with port forward `-L 6035:DBHOST:3306`
uroesch
  • 21
  • 2
  • Sadly, I'm no longer able to vet your proposal, so I don't think it would be reasonable to accept your answer. Anubioz gave the answer that helped me at the time, but only in a comment, so I couldn't mark it as accepted. – foundart Jun 07 '19 at 04:53
  • @foundart No worries, I thought it is a common enough case to warrant an answer. – uroesch Jun 08 '19 at 07:55