2

I work in an environment where I have multiple ssh keys for multiple environments, all of which utilize a bastion host, meaning to ssh to any box in any environment, it is a 2-step hop, first to the bastion, and the second to the target box, and my ssh identity has to be carried with me the whole way.

I know that both ssh and .ssh/config have options to forward all of your current ssh identities with you to the bastion host, such that you can re-use them there:

ssh -A IPADDRESS and ForwardAgent

Additionally, I know that .ssh/config has the IdentityFile option which allows me to specify which ssh key is used depending on the host that I am trying to connect to. However, what I have noticed is that any identities used by the IdentityFile option are not forwarded by the ForwardAgent - I make it to the bastion host, but without my key and I cannot ssh to the next box.

The only way I have been able to accomplish this so far is to manually add the identity that I need to use with ssh-add ~/.ssh/id_rsa[1-10], and then to ssh using either ForwardAgent or ssh -A. However, this can be a pain when I have many identities that I need to switch between.

Is there a way I can accomplish all of this using just the ssh config file??

Improve this question

3 Answers 3

Reset to default
2

A neater way of doing the ProxyCommand above is to use ProxyJump; your SSH config will look something like this:

Host bastion.host User user1 IdentityFile ~/.ssh/id_bastion Host remote.host User user2 IdentityFile ~/.ssh/id_remote ProxyJump bastion.host
Improve this answer
1

You need : 

IdentityFile ~/.ssh/id_bastion AddKeysToAgent yes ForwardAgent yes

Check man ssh_config | less +/AddKeysToAgent

Improve this answer
1
  • I just tried this and it looks like exactly what I wanted except that on one of my Host configurations where I would like to carry two ssh identities with me to the bastion, it looks like its only carrying the first one. Commented Apr 20, 2018 at 19:21
0

Have you tried to use a ProxyCommand ? Let's say you want to connect as [email protected] by going transparently through the [email protected] account. The following config achieves just that : 

Host bastion.host User user1 IdentityFile ~/.ssh/id_bastion Host remote.host User user2 IdentityFile ~/.ssh/id_remote ProxyCommand ssh bastion.host -W %h:%p

Another nice property of this setup is that it allows other commands (such as git, sshfs, rsync, ...) to connect to remote.host "directly" through the bastion host, using the same credentials.

edit: In your setup, every host shares the same bastion, so you can even factor the ProxyCommand out with a wildcard Host before adding more specific ones :

Host remote.* ProxyCommand ssh bastion.host -W %h:%p Host remote.host1 IdentityFile ... Host remote.host2 ....
Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.