1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Connection through a proxy with PublicKey authentication - how to confi

    From Chris Green@21:1/5 to All on Sat Sep 12 12:46:46 2020
    I currently use password authentication for a connection through a
    proxy to my home linux desktop.

    Since the connection isn't *always* through a proxy (not necessary if
    I'm at home, just connect across the LAN) I have the following in my ~/.ssh/config file:-

    Match host esprimo exec "hostNotLocal esprimo"
    ForwardX11 true
    ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

    host esprimo
    ForwardX11 true

    If I add the client laptop's public key to cheddar and esprimo what
    else do I need to do to make a connection through cheddar? I will get
    Public Key authentication into cheddar but do I have to add
    'ForwardAgent yes' to the proxy section? ... or is something else
    needed?


    --
    Chris Green
    ·

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Chris Green on Sun Sep 13 00:03:17 2020
    On 9/12/20 5:46 AM, Chris Green wrote:
    I currently use password authentication for a connection through a
    proxy to my home linux desktop.

    Okay.

    Since the connection isn't *always* through a proxy (not necessary
    if I'm at home, just connect across the LAN) I have the following in
    my ~/.ssh/config file:-

    Match host esprimo exec "hostNotLocal esprimo"

    I don't recognize "hostNotLocal". Is that a wrapper script that checks
    to see if the parameter is on the local network or not?

    ForwardX11 true
    ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

    You don't need to use nc to do this. Check out the "-W" option to
    modern OpenSSH clients. It saves a process on cheddar.

    host esprimo
    ForwardX11 true

    Okay.

    If I add the client laptop's public key to cheddar and esprimo
    what else do I need to do to make a connection through cheddar?
    I will get Public Key authentication into cheddar but do I have to
    add 'ForwardAgent yes' to the proxy section? ... or is something
    else needed?

    No, you don't need ForwardAgent.

    The ssh connection from your client notebook to cheddar is only used as
    part of the transport between your client notebook and esprimo.

    Your client notebook will be the endpoint for both SSH connection;
    client & cheddar, as well as client & esprimo. As such, you client will
    have the local agent when authenticating to esprimo.

    See my Empowering OpenSSH article for a more full description on what's happening.

    Link - Empowering OpenSSH
    - https://dotfiles.tnetconsulting.net/articles/2015/0506/empowering-openssh.html

    Note: OpenSSH didn't have the ProxyJump or "-W" options when I wrote
    this article. They would streamline this process.

    Aside: You probably should check out ProxyJump and / or "-W". ;-)



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Green@21:1/5 to Grant Taylor on Sun Sep 13 14:51:24 2020
    Grant Taylor <gtaylor@tnetconsulting.net> wrote:
    On 9/12/20 5:46 AM, Chris Green wrote:
    I currently use password authentication for a connection through a
    proxy to my home linux desktop.

    Okay.

    Since the connection isn't *always* through a proxy (not necessary
    if I'm at home, just connect across the LAN) I have the following in
    my ~/.ssh/config file:-

    Match host esprimo exec "hostNotLocal esprimo"

    I don't recognize "hostNotLocal". Is that a wrapper script that checks
    to see if the parameter is on the local network or not?

    Yes, it's a trivial little script to test if we're on the LAN with
    esprimo or not.


    ForwardX11 true
    ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

    You don't need to use nc to do this. Check out the "-W" option to
    modern OpenSSH clients. It saves a process on cheddar.

    Yes, I was using the old fashioned way, I now have:-

    ProxyJump cheddar.halon.org.uk

    host esprimo
    ForwardX11 true

    Okay.

    If I add the client laptop's public key to cheddar and esprimo
    what else do I need to do to make a connection through cheddar?
    I will get Public Key authentication into cheddar but do I have to
    add 'ForwardAgent yes' to the proxy section? ... or is something
    else needed?

    No, you don't need ForwardAgent.

    The ssh connection from your client notebook to cheddar is only used as
    part of the transport between your client notebook and esprimo.

    Your client notebook will be the endpoint for both SSH connection;
    client & cheddar, as well as client & esprimo. As such, you client will
    have the local agent when authenticating to esprimo.

    See my Empowering OpenSSH article for a more full description on what's happening.

    Link - Empowering OpenSSH
    - https://dotfiles.tnetconsulting.net/articles/2015/0506/empowering-openssh.html

    Note: OpenSSH didn't have the ProxyJump or "-W" options when I wrote
    this article. They would streamline this process.

    Aside: You probably should check out ProxyJump and / or "-W". ;-)

    See above, I'm now using ProxyJump, and it 'just works' with the
    change to Public Key. :-)

    Thank you.

    --
    Chris Green
    ·

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Chris Green on Sun Sep 13 11:55:21 2020
    On 9/13/20 7:51 AM, Chris Green wrote:
    Yes, it's a trivial little script to test if we're on the LAN with
    esprimo or not.

    Okay. I was sort of wondering if I was missing a nice little tool. ;-)

    Yes, I was using the old fashioned way, I now have:-

    ProxyJump cheddar.halon.org.uk

    See above, I'm now using ProxyJump, and it 'just works' with the
    change to Public Key. :-)

    *nod*

    ProxyJump (and "-W") are nice options.

    Thank you.

    You're welcome.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)