I'm trying to connect to a number of hosts using pssh in combination with a jump host and ssh-agent key forwarding.
Unfortunately this fails quiet regular, but with different hosts failing on. So this is only an example which would look different next time:
~> pssh -h /tmp/hostfile -o /tmp/log -e /tmp/error/ -v uname -a
[1] 13:51:18 [FAILURE] host1 Exited with error code 255
[2] 13:51:19 [SUCCESS] host2
[3] 13:51:19 [SUCCESS] host3
[4] 13:51:19 [SUCCESS] host4
[5] 13:51:19 [SUCCESS] host5
[6] 13:51:19 [SUCCESS] host6
[7] 13:51:19 [SUCCESS] host7
….
[16] 13:51:19 [SUCCESS] host16
When having a deeper look, I'm getting
ssh_exchange_identification: Connection closed by remote host
ssh_exchange_identification: Connection closed by remote host
on the host that failed. This looks much like the ssh-agent keyforwarding via jump host did not work in this particular scenario.
Inside my ~.ssh/config it looks like this:
ForwardAgent yes
Host *.tld.foo
User frlan
ProxyCommand ssh tld-jump-host nc %h %p
Host tld-jump-host
HostName myhost.example.com
User frlan
ProxyCommand none
Usually this is working. Now I'm wondering why starting at about 15 hosts sometime the key is not forwarded an dhow I can upgrade my configuration to prevent this from happening.
Best Answer
For connections using
ProxyCommand
you do not need anyssh-agent
forwarding. All the authentication is done directly from your computer.Manual page for
ssh_config
saystherefore the
Host tld-jump-host
block should be beforeHost *.tld.foo
block, especially if the jump box has the same tld as the hosts behind it.If you are connecting to many hosts behind this jump box, you might be triggering connection limit and the connections will get randomly rejected. You can try to avoid it by bumping the connection rate limit in jumpbox server (
MaxStartups
option insshd_config
), or multiplex the connections to the jump box by creating directory~/.ssh/cm/
and adding the following to the jumbox block inssh_config
: