Home / server / Questions / 876903
Accepted
Amelio Vazquez-Reina
Asked: 2017-10-05 10:20:42 +0800 CST

Different identity files when jumping through hosts and using a single ssh config file

  • 772

Let's say I have the following setup:

    ssh       ssh
A ------> B ------> C
    ^          ^
 using A's   using B's
   key         key

I'm trying to configure this in .ssh/config in the host A as follows:

Host C
    HostName C.com
    IdentityFile path_to_key_1
    ProxyCommand ssh -i path_to_key_2 B -W %h:%p

Which identify file and path go into path_to_key_1 and path_to_key_2 ?

For example, does path_to_key_1 refer to a path in A and path_to_key_2 to a path in B? Or are they both supposed to be paths in A?

ssh

2 Answers

  1. Your .ssh/config on host A should look like follows:

    Host B
    HostName B.com
    IdentityFile path_to_key_2
Host C
    HostName C.com
    IdentityFile path_to_key_1
    ProxyCommand ssh B -W %h:%p

    Both path_to_key files must exist on A.

    I use a similar configuration in production to access nagios nrpe servers.

    Edit: Changed host C config, removed -i part from ProxyCommand ssh -i path_to_key_2 B -W %h:%p as it was superfluous

    • 4
  2. Best Answer

    The ProxyCommand is executed from 'A', this makes a connection to B that only creates a tunnel to 'C' which is then used for 'A' to connect to 'C'. At no point is a shell opened on B, or any ssh keys loaded from B.

    If you require a key for authentication that only lives on 'B' to authenticate to 'C' you won't be able to use the 'ProxyCommand'.

    • 2