4

Although a simple question, I have searched for days without success.

M = My machine 
J = Jump Host
S = Server

Jump Host has my public key on authorized_keys.
Server has J's public key on authorized_keys.

Allowed connections (due to key authentication):
M -> J
J -> S

How is it possible for me to ssh into S from my machine?

My current configuration is:

host jump
  user root
  HostName x.x.x.x

host server
  user root
  HostName x.x.x.x
  port 22
  ForwardAgent no
  ProxyCommand ssh jump -W %h:%p

It does not work as it tries to login with M's key.

Here's the ssh log

debug1: Host 'x.x.x.x' is known and matches the ECDSA host key.
debug1: Found key in /Users/xxxxx/.ssh/known_hosts:1542
...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/xxxxx/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/xxxxx/.ssh/id_dsa
debug1: Trying private key: /Users/xxxxx/.ssh/id_ecdsa
debug1: Trying private key: /Users/xxxxx/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
Killed by signal 1.
cmf
  • 143
  • 1
  • 5
  • 1
    I am confused by your question. Agent forwarding should not be required in this setup. All the ssh connections requiring authentication will be initiated from your client. When you say `doesn't work`, please be more specific. What doesn't work. What errors do you get. What does your ssh debug output look like? – Zoredache Jan 19 '17 at 18:37
  • The problem is that it's trying to use my key (M) to authenticate in S when it's supposed to use J's key. I cannot specify the key to use with IdentityFile give it's on J and not on my machine. – cmf Jan 19 '17 at 19:08

2 Answers2

3

The problem is that it's trying to use my key (M) to authenticate in S when it's supposed to use J's key. I cannot specify the key to use with IdentityFile give it's on J and not on my machine.

Well that is your problem. The connection to both the jump host, and the final destination are initiated directly from your client in this setup. Your client must have the correct key for both systems.

The ssh jump -W %h:%p in the proxy command starts a ssh session to your jump host, but doesn't create a shell, it just creates a tunnel directly to the destination host. Then your client makes an ssh to the tunnel. At no point is a shell started on the jump host that would let you access any keys stored on that intermediate host in this type of setup. Messing around with forwarding doesn't do anything. No forwarding is used to initiate the connection.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Understood. You are absolutely correct. What should I be using so that it works as intended, opposed to ProxyCommand? The idea is to add security by isolating the key to the server inside the jump host. – cmf Jan 19 '17 at 19:31
  • AFAIK, you can't have it both ways. If you want to require any keys must only be stored and used from that jump host, then you can't have the convenience of being able to connect directly to the destination from your client. – Zoredache Jan 19 '17 at 19:39
  • Thanks ! I have been searching for that clear explanation for a while ! – tony Jul 13 '21 at 21:28
1

You don't log into the firewall, that's a network appliance that restricts packets. It's basically invisible in this scenario. It has to be configured to allow your packets to reach your bastion host (jumphost) server, which is port 22 in and probably high range ports out.

You log directly into the server, so it needs to be configured to allow this. Test this from another machine on the same network. From this bastion host you can log into machines that it's protecting in your private subnets.

Update based on further information You don't need the bastion / jump host key in the target server, you need your key. It's not the bastion trying to access the server, it's a user, ie you.

Take a step back. Make sure you can access the target server using ssh from another server in the same subnet, using your key. Then try it from the bastion host.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • By firewall I mean Jump Host :( Sorry! – cmf Jan 19 '17 at 18:35
  • Please edit your question to ensure it's accurate, and I suggest providing more context. This whole question seems to be asking about something quite trivial, so maybe there's something you haven't said. – Tim Jan 19 '17 at 18:47
  • Answer updated. I think you need to do more background reading in this area. – Tim Jan 19 '17 at 19:10