How to configure SSH agent to set user for second hop?

Question

Is it possible to connect to a web server and then connect to a git server using SSH agent if the second hop needs a different user?

It works if I pass in the user name explicitly.

$ ssh web.example.com
# connects

  > ssh -T yellow@git.example.com
  > # connects

It does not work if I rely on the SSH config to set user.

$ ssh web.example.com
# connects

  > ssh -T git.example.com
  > # permission denied

Here is the SSH config on my machine.

Host web.example.com
  User blue
  ForwardAgent yes

Host git.example.com
  User yellow

In the debug output it says authenticating as blue even though the config sets the user to yellow for the host.

debug1: Authenticating to git.example.com:22 as 'blue'

Why does it use the wrong user? I don't want to hard code the user because then it does not work for the whole team to use the same deploy script.

Answer 1

I prefer to set all settings explicitly in my ~/.ssh/config with a short alias for each host. That way I won't need to use any commandline flags and can simply type less and use ssh Destination and be done with.

Host web
    Hostname web.example.com
    User blue
    ForwardAgent yes
    AddKeysToAgent yes
    UseKeychain yes                                  # Specific to OS X 
    IdentityFile ~/.ssh/id_rsa.blue

Host git
    Hostname git.example.com
    User yellow 
    ForwardAgent yes
    AddKeysToAgent yes
    UseKeychain yes                                  # Specific to OS X
    IdentityFile ~/.ssh/id_rsa.yellow
    ProxyJump web

ProxyJump is a relatively new setting that I find somewhat more intuitive to use then a ProxyCommand. Now ssh git will do exactly what you need, first create a session using blue@web.example.com as a first hop from which you tunnel to your next hop with yellow@git.example.com.

You can also use the ProxyJump command directly in from the command line :

ssh -J blue@web.example.com yellow@git.example.com