I currently use password authentication for a connection through a
proxy to my home linux desktop.
Since the connection isn't *always* through a proxy (not necessary
if I'm at home, just connect across the LAN) I have the following in
my ~/.ssh/config file:-
Match host esprimo exec "hostNotLocal esprimo"
ForwardX11 true
ProxyCommand ssh cheddar nc -q0 zbmc.eu 22
host esprimo
ForwardX11 true
If I add the client laptop's public key to cheddar and esprimo
what else do I need to do to make a connection through cheddar?
I will get Public Key authentication into cheddar but do I have to
add 'ForwardAgent yes' to the proxy section? ... or is something
else needed?
On 9/12/20 5:46 AM, Chris Green wrote:
I currently use password authentication for a connection through a
proxy to my home linux desktop.
Okay.
Since the connection isn't *always* through a proxy (not necessary
if I'm at home, just connect across the LAN) I have the following in
my ~/.ssh/config file:-
Match host esprimo exec "hostNotLocal esprimo"
I don't recognize "hostNotLocal". Is that a wrapper script that checks
to see if the parameter is on the local network or not?
ForwardX11 true
ProxyCommand ssh cheddar nc -q0 zbmc.eu 22
You don't need to use nc to do this. Check out the "-W" option to
modern OpenSSH clients. It saves a process on cheddar.
host esprimo
ForwardX11 true
Okay.
If I add the client laptop's public key to cheddar and esprimo
what else do I need to do to make a connection through cheddar?
I will get Public Key authentication into cheddar but do I have to
add 'ForwardAgent yes' to the proxy section? ... or is something
else needed?
No, you don't need ForwardAgent.
The ssh connection from your client notebook to cheddar is only used as
part of the transport between your client notebook and esprimo.
Your client notebook will be the endpoint for both SSH connection;
client & cheddar, as well as client & esprimo. As such, you client will
have the local agent when authenticating to esprimo.
See my Empowering OpenSSH article for a more full description on what's happening.
Link - Empowering OpenSSH
- https://dotfiles.tnetconsulting.net/articles/2015/0506/empowering-openssh.html
Note: OpenSSH didn't have the ProxyJump or "-W" options when I wrote
this article. They would streamline this process.
Aside: You probably should check out ProxyJump and / or "-W". ;-)
Yes, it's a trivial little script to test if we're on the LAN with
esprimo or not.
Yes, I was using the old fashioned way, I now have:-
ProxyJump cheddar.halon.org.uk
See above, I'm now using ProxyJump, and it 'just works' with the
change to Public Key. :-)
Thank you.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 293 |
Nodes: | 16 (2 / 14) |
Uptime: | 238:49:50 |
Calls: | 6,624 |
Files: | 12,172 |
Messages: | 5,319,946 |