We have some unix boxes setup in a way that to get to the development box via ssh, you have to ssh into a 'user@jumpoff' box first. There is no direct connection allowed on 'dev' via ssh from anywhere but 'jumpoff'. Furthermore, only key exchange is allowed on both servers. And you always login to the development box as 'build@dev'.
It's painful to always do that hopping. I know this can be done with SOCKS or a Tunnel or something…
I have setup a FreeBSD VM and I can get things to work awesome using unix ssh tools. Basically all I do is make sure my vm's ~/.ssh/id_rsa.pub key is on both jumpoff and dev and use this ~/.ssh/config file:
# Development Server
Host ext-dev # this must be a resolvable name for "dev" from Jumpoff
Hostname 1.2.3.4
User build
IdentityFile ~/.ssh/id_rsa
# The Jumpoff Server
Host ext
Hostname 1.1.1.1
User daevid
Port 22
IdentityFile ~/.ssh/id_rsa
# This must come below all of the above
Host ext-*
ProxyCommand ssh ext nc $(echo '%h'|cut -d- -f2-) 22
Then I just simply type "ssh ext-dev" and I'm in like Flynn.
The problem is I can't get this same thing to work using either PuTTY or SecureCRT — and to be honest I've not found any tutorials that really walk me through it. I see many on setting up some kind of proxy tunnel for Firefox, but it doesn't seem to be the same concept. I've been messing with various trial and error most all day and nothing has worked (obviously) and I'm at the end of my ssh knowledge and Google searching.
I found this link which seemed to be perfect, but it doesn't work for me. The "Master" connects fine, but the "client" portion doesn't connect. It tells me, the remote system refused the connection.
http://www.vandyke.com/support/tips/socksproxy.html
I've got the VM, PuTTY and SecureCRT all using the same public/private key pairs to make things consistent and easier to debug.
Does anyone have a straight up example of how to do this in Windows?
Best Answer
Using a fairly recent version of SecureCRT (I'm running 7.3.7 for this example), here is how you do it:
1.) Set up a new connection to your jump-off server (ext) with the IP address 1.1.1.1, as given in your example. Give the connection a name, "Jump-off server", and save it in your Sessions folder.
2.) Test that you can connect to the jump-off server as desired. You have indicated that only access with an SSH key is possible: You might want to import that key using ssh-agent functionality (use the "Tools" menu > "Manage Agent Keys..." > "Add...") if you want to enter your passphrase just once.
3.) Set up a new connection for your dev box. As with step 1.), use the correct IP address - 1.2.3.4, as given in your example - and name it "Development box". Save this session in your Sessions folder. Test this connection: It should fail at this point, because you're connecting directly. Close the window.
Now you have the raw information needed, but one extra step is required, to associate the jump-off box as the connection needs to go through "Jump-off box" in order to connect to "Development box".
4.) Right-click on the "Development box" connection in your Sessions folder, and select "Properties". Go to "Connection" -> "SSH2" and click on the "Firewall:" drop-down option. Click on "Select Session...", and then pick "Jump-off server" from the Sessions menu, and then click "OK" to accept the value, then "OK" again to exit the properties menu.
This now associates your jump-off box with your development box, so it is used as an intermediary when trying to establish a connection to your development box. It even works if you have a different SSH port in use on your jump-off box (e.g. 65000) versus your development box (e.g. 22), because SecureCRT will simply use the configuration you have set up for each host.
Try the "Development box" connection again, with or without a "Jump-off box" connection open, and you should find it works as you wanted.