What is that supposed to be, a stepping stone. My company provides me with a computer that serves as the entry point into the company network. Extended authentication information is required on this machine, e.g. an OATH (One Time Authorisation Token). Registration using only a private key is prohibited. The computer is therefore the entry point into the company network.
The daily problem is digging out the OATH umpteen times as soon as one of the servers demands my attention. There has to be an easier way. How do I proceed? I log into hop.example.com and ssh from there to database.example.com, so I need two commands
Client: ssh hop.example.com # This gives me a shell on the stepping stone, but I have to use the OATH Hop: ssh database.example.com # Now I'm on the database server
If I now also want to register on the web server web.example.com, the procedure is repeated. The OATH is already worn out
I want it to be simpler, so I'll adjust my .ssh/config again. I omit the „Host *“ part to make it clearer.
# First define the stepping stone Host step User admin Host name hop.example.com ForwardX11 yes LocalForward 2222 localhost:22 # Now port 2222 on my client host tunnel HostName localhost Port 2222 User admin # Now the rest of the company Host *.example.com hostname %h User admin ProxyCommand /usr/bin/ssh -q -W %h:%p tunnel
brings me now immediately to the specified server, without having to use OATH again. A look at the debug output (ssh -v) shows us how it works.
[user@client][/home/user] ssh -v server2.example.com OpenSSH_7.5p1, OpenSSL 1.0.2k 26 Jan 2017 debug1: Reading configuration data /home/user/.ssh/config debug1: /home/user/.ssh/config line 114: Applying options for * debug1: /home/user/.ssh/config line 179: Applying options for *.example.com debug1: Executing proxy command: exec /usr/bin/ssh -q -W server2.example.com:22 tunnel
Understood? Of course not, so here's the answer to the riddle. Once I log on to „step“ to marry the local port 2222 to port 22 of the stepping stone. Of course I have to identify myself with my OATH here. I minimize this SSH session and forget about it.
Since all traffic on my local port 2222 is now routed to the stepping stone's port 22, I could now immediately „ssh tunnel“ into the stepping stone without having to pull out the OATH. So I have simplified this step, but I still have to enter two ssh commands to get to where I actually have to go.
The third entry is the one that allows using the „direct“ login. The „ProxyCommand“ parameter ensures that a command (ssh in this case) is started on „tunnel“. The „-W %h:%p“ call to this ssh is a bit cryptic. In the .ssh/config I can use variables, „%h“ stands for the entered host name, „%p“ for an entered port number (if you haven't entered one, 22 is taken as the default).
A list of usable variables is:
But while I'm working, I always have the window with the „Step“ session open so that I can use the local port 2222. If you find the window annoying, you can go with it
ssh -N -f step
send the ssh process to the background and close the window. However, the question now arises as to how I can control (e.g. end) the process that has disappeared into the background. There is the so-called control mechanism for this, which can communicate with all ssh connections set up in this way via a control path. I'll talk about other uses in other HowTo's, here's just the command to do this:
ssh -N -f -o "ControlMaster=auto" -o "ControlPath=~/.ssh/cm_sockets/%r@%h:%p" step
the process is started and immediately sent to the background. The ~/.ssh/cm_sockets/ directory must exist. In the .ssh/config the entries are to be set as follows:
# First define the stepping stone Host step User admin Host name hop.example.com ForwardX11 yes LocalForward 2222 localhost:22 Control Master auto ControlMaster ~/.ssh/cm_sockets/%r@%h:%p ControlPersist 0
By specifying a ControlPath, we are able to control the background process with the „-O“ option
ssh -O check step # Checks whether the connection is active ssh -O exit step # terminate the connection
As already mentioned, you can find the other possible commands for „-O“ in other SSH HowTo's.