Ssh – Tunnel an SSH connection transparently (no ProxyCommand)

sshssh-tunneltransparent-proxytunneling

Here's the scenario: the user runs "ssh -i sshkey user@server1". I want the SSH connection to be tunneled through server1 to server2. Normally, the user could do this himself using:

ssh -i sshkey user@server1 -o 'ProxyCommand /bin/nc server2 22'

However, I don't want the user to set up the proxy themselves, using ssh command-line arguments or even ssh_config changes. As sysadmin, I want to be able to redirect a user's SSH session to a different server transparently. All solutions I've found so far require ProxyCommand. Is there a way for me to accomplish this?

Note that the user is using SSH keys, not username/password, so those credentials need to be passed on to server2.

Best Answer

I can think of two ways to do this:

Forced command in the user's AuthorizedKeysFile (i.e. ~/.ssh/authorzied_keys) on server1:

The entry would look like

command="ssh server2" ssh-rsa AAAA...[rest of sshkey.pub]

Then the command ssh -i sshkey server1 will send the user directly to server2.

Or, change the users' shell on server1 by setting it to something like /bin/proxyshell, the contents of which will be:

#!/bin/bash
ssh server2

Related Solutions

Linux – How to automatically create user accounts ( SSH + LDAP )

You don't need to actually make the user on the server2, only their home directory on first login. You're looking for pam_mkhomedir:

http://www.linux-pam.org/Linux-PAM-html/sag-pam_mkhomedir.html

Google will find you many howtos and examples on getting this set up.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Linux – How to automatically create user accounts ( SSH + LDAP )

Ssh – How to automate SSH login with password

Related Topic