Frequently I have to log in to a remote machine, but I cannot connect directly; I have to use a so called jump host. (This is often the case, if I have to use a VPN to connect to a customer site.) So I have to use two sshs to connect to the desired machine. Do I?
If I ask this, the answer is surely “no”.
Let’s consider the following scenario:
We log in to the jump host with the IP 10.11.12.13. From there we connect to a webhost 220.127.116.11 or to an application host 18.104.22.168.
[my_compy:~]$ ssh firstname.lastname@example.org [jump:~]$ ssh email@example.com [webhost:~]$
But thanks to the option
-o and the
ProxyCommand we can write this in on command:
ssh -o "ProxyCommand ssh -W %h:%p firstname.lastname@example.org" email@example.com
-W “requests that standard input and output on the client be forwarded to host on port over the secure channel” (from the man page).
%p are placeholders for the host and port, resp.
Is this really easier? At first glance not. But we can use the ssh config file (as decribed in earlier post), and configure the
Host custweb Hostname 22.214.171.124 ProxyCommand ssh -W %h:%p firstname.lastname@example.org 2> /dev/null User applic Host custappl Hostname 126.96.36.199 ProxyCommand ssh -W %h:%p email@example.com 2> /dev/null User applic
Now the login is quite easy:
[my_compy:~]$ ssh custweb
[my_compy:~]$ ssh custappl
All you have to do now is to enter two passwords. This can be avoided – I will explain this in a later post.
And yes: there is a parameter
-J to define one (or more) jump hosts for ssh, but if we use the ProxyCommand scp can benefit from this, too.