I have a jump/proxy host ("jump") I use to access my final destination host ("final"). I have it configured correctly to allow me in. However, it requires I enter my passphrase twice (once for "jump", once for "final".)
~/.ssh/config…
Host jump
Hostname jump.domain.com
User username
IdentityFile ~/.ssh/id_rsa
Host final
Hostname final.otherdomain.com
User username
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q jump -W %h:%p
Is there a secure way of allowing the password from the first entry to be passed to the second? In addition to just the inconvenience, I worry about locking myself out with entering a complex password several times each time I need to access "final".
I do not have admin rights to either "jump" or "final", but could request reasonable changes from our support tech.
I don't imagine this matters, but this is in Bash via WSL (Windows Subsystem for Linux).
PS: I've found a couple threads on the StackExchange network and Google that involves insecure means via scripting. I am hoping it is just something I can add to my config to enable it.
I also found this post from github that appears to cover a (perhaps) similar effect as to what I am trying to achieve…
"This is sort of like asking a friend to enter their password so that you can use their computer."
Using the tips there, I checked the ForwardAgent setting for both "jump" and "final" and both have it disabled…
cat /etc/ssh/ssh_config | grep Forward
ForwardAgent no
Is this in fact referring to what I am trying to achieve? Are there security implications driving this being shut off?
Best Answer
There doesn't seem to be a way to do this with passwords.
If you use public key authentication instead, and load the private key(s) into a running ssh-agent on the client, then the logins to both the jump and final hosts will use the key and log you in. You'll only have to enter a password once, when you load the private key into the ssh-agent.