Übersetzungen dieser Seite:

SSH - Stepping Stones

What is that supposed to be, a stepping stone. My company provides me with a computer that serves as the entry point into the company network. Extended authentication information is required on this machine, e.g. an OATH (One Time Authorisation Token). Registration using only a private key is prohibited. The computer is therefore the entry point into the company network.
The daily problem is digging out the OATH umpteen times as soon as one of the servers demands my attention. There has to be an easier way. How do I proceed? I log into and ssh from there to, so I need two commands

Client: ssh # This gives me a shell on the stepping stone, but I have to use the OATH
Hop: ssh # Now I'm on the database server

If I now also want to register on the web server, the procedure is repeated. The OATH is already worn out 8-)

I want it to be simpler, so I'll adjust my .ssh/config again. I omit the „Host *“ part to make it clearer.

# First define the stepping stone
Host step
  User admin
  Host name
  ForwardX11 yes
  LocalForward 2222 localhost:22
# Now port 2222 on my client
host tunnel
  HostName localhost
  Port 2222
  User admin
# Now the rest of the company
Host *
  hostname %h
  User admin
  ProxyCommand /usr/bin/ssh -q -W %h:%p tunnel

The command


brings me now immediately to the specified server, without having to use OATH again. A look at the debug output (ssh -v) shows us how it works.

[user@client][/home/user] ssh -v
OpenSSH_7.5p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 114: Applying options for *
debug1: /home/user/.ssh/config line 179: Applying options for *
debug1: Executing proxy command: exec /usr/bin/ssh -q -W tunnel

Understood? Of course not, so here's the answer to the riddle. Once I log on to „step“ to marry the local port 2222 to port 22 of the stepping stone. Of course I have to identify myself with my OATH here. I minimize this SSH session and forget about it.
Since all traffic on my local port 2222 is now routed to the stepping stone's port 22, I could now immediately „ssh tunnel“ into the stepping stone without having to pull out the OATH. So I have simplified this step, but I still have to enter two ssh commands to get to where I actually have to go.
The third entry is the one that allows using the „direct“ login. The „ProxyCommand“ parameter ensures that a command (ssh in this case) is started on „tunnel“. The „-W %h:%p“ call to this ssh is a bit cryptic. In the .ssh/config I can use variables, „%h“ stands for the entered host name, „%p“ for an entered port number (if you haven't entered one, 22 is taken as the default).
A list of usable variables is:

  1. %% - The character ‘%’
  2. %C - Abbreviation for %l%h%p%r
  3. %d - pathname of local home directory
  4. %h - The local hostname
  5. %i - The local user ID (numeric)
  6. %L - The local hostname
  7. %l - The fully qualified local hostname (
  8. %n - The hostname specified in the ssh command
  9. %p - The port on the server side
  10. %r - The username on the server
  11. %u - The local username

But while I'm working, I always have the window with the „Step“ session open so that I can use the local port 2222. If you find the window annoying, you can go with it

ssh -N -f step

send the ssh process to the background and close the window. However, the question now arises as to how I can control (e.g. end) the process that has disappeared into the background. There is the so-called control mechanism for this, which can communicate with all ssh connections set up in this way via a control path. I'll talk about other uses in other HowTo's, here's just the command to do this:

ssh -N -f -o "ControlMaster=auto" -o "ControlPath=~/.ssh/cm_sockets/%r@%h:%p" step

the process is started and immediately sent to the background. The ~/.ssh/cm_sockets/ directory must exist. In the .ssh/config the entries are to be set as follows:

# First define the stepping stone
Host step
  User admin
  Host name
  ForwardX11 yes
  LocalForward 2222 localhost:22
  Control Master auto
  ControlMaster ~/.ssh/cm_sockets/%r@%h:%p
  ControlPersist 0

By specifying a ControlPath, we are able to control the background process with the „-O“ option

ssh -O check step # Checks whether the connection is active
ssh -O exit step # terminate the connection

As already mentioned, you can find the other possible commands for „-O“ in other SSH HowTo's.

en/howtos/sshstepstone.txt · Zuletzt geändert: 2022/02/18 08:42 von morquai