Ssh – Two-Hop SSH connection with two separate public keys

We have the following ssh hop setup:

    localhost -> hub -> server

hubuser@hub accepts the public key for localuser@localhost.

serveruser@server accepts the public key for hubuser@hub.

So we are issuing ssh -t hubuser@hub ssh serveruser@server for connecting to server.

The problem with this setup is we can not scp directly to the server.

I tried creating .ssh/config file like this:

    Host server
      user serveruser
      port 22
      hostname server
      ProxyCommand ssh -q hubuser@hub 'nc %h %p'

But I am not able to connect (yigit is localuser):

    $ ssh serveruser@server -v
    OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
    debug1: Reading configuration data /home/yigit/.ssh/config
    debug1: /home/yigit/.ssh/config line 19: Applying options for server        debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Executing proxy command: exec ssh -q hubuser@hub 'nc server 22'
    debug1: permanently_drop_suid: 1000
    debug1: identity file /home/yigit/.ssh/id_rsa type 1000        debug1: identity file /home/yigit/.ssh/id_rsa-cert type -1
    debug1: identity file /home/yigit/.ssh/id_dsa type -1
    debug1: identity file /home/yigit/.ssh/id_dsa-cert type -1
    debug1: identity file /home/yigit/.ssh/id_ecdsa type -1
    debug1: identity file /home/yigit/.ssh/id_ecdsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1
    debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH_5*
    debug1: Enabling compatibility mode for protocol 2.0        debug1: Local version string SSH-2.0-OpenSSH_6.1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none        debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ECDSA cb:ee:1f:78:82:1e:b4:39:c6:67:6f:4d:b4:01:f2:9f
    debug1: Host 'server' is known and matches the ECDSA host key.
    debug1: Found key in /home/yigit/.ssh/known_hosts:33
    debug1: ssh_ecdsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /home/yigit/.ssh/id_rsa
    debug1: Authentications that can continue: publickey
    debug1: Trying private key: /home/yigit/.ssh/id_dsa
    debug1: Trying private key: /home/yigit/.ssh/id_ecdsa
    debug1: No more authentication methods to try.
    Permission denied (publickey).

Notice that it is trying to use the public key localuser@localhost for authenticating on server and fails since it is not the right one. Is it possible to modify the ProxyCommand so that the key for hubuser@hub is used for authenticating on server?

Best Answer

You can use -i in the ProxyCommand to specify a keyfile to use for the connection from localhost to hub. You can use IdentityFile to specify a keyfile to use for the connection from localhost to server

Both keyfiles need to be located on localhost. This setup will not need any of the two keyfiles to be located on hub.

Best Answer

Related Solutions

Ssh authentication nfs

Ssh – How to manage ssh keys to add a second user

Related Topic