2

I used to connect to a remote server (e.g., [email protected]) through a bastion machine (e.g., [email protected]) using the following command from my local machine:

ssh [email protected]

The above command does not require the password, as I have set up SSH keys for the connections (local --> bastion, bastion --> target), in addition to the following configuration in the ~/.ssh/config of my local machine:

Host target.example Match User userT ProxyCommand ssh -o 'ForwardAgent yes' [email protected] 'ssh-add && nc %h %p'

Recently, the administrator of target.example has observed that I caused a lot (hundreds) of non-closed connections. I was then recommended to use ProxyJump instead:

Host target.example Match User userT ProxyJump [email protected]

This command worked at first, but after a restart of my local machine, each connection requires me to enter the password for [email protected]. As a workaround, I do this each time I restart my machine:

  1. Change the ProxyJump line in ~/.ssh/config to the ProxyCommand line.
  2. ssh [email protected].
  3. Change the ProxyCommand line in ~/.ssh/config back to ProxyJump.

The above is highly inconvenient. Therefore, I would like to know if there is a way to make ProxyJump works correctly (i.e., allowing me to connect to target.example without typing any password. (Just in case: The version of OpenSSH on my bastion machine is 6.0, while ProxyJump requires >= 7.3, I am not sure if this is the root cause of the issue.)

Thank you very much in advance for your help!

Update:

I tried adding ForwardAgent to ~/.ssh/config as suggested by @Wieland:

Host gateway.example ForwardAgent yes Host target.example Match User userT ProxyJump [email protected]

but the issue remains.

Improve this question
3
  • I don't have an environment to reproduce this in, but you seem to be no longer forwarding your SSH agent to the jump host in your new configuration. Can you try adding Host gateway.example\nForwardAgent yes to your SSH config file? Commented Feb 19, 2021 at 18:24
  • @Wieland Thanks for your comment. Unfortunately that doesn't solve the problem. Please see the update part of the question. Commented Feb 19, 2021 at 18:32
  • @Wieland It turns out that I have to add the SSH public key of my local machine to target.example as well when using ProxyJump. Now everything is working. Commented Feb 19, 2021 at 19:26

1 Answer 1

Reset to default
3

For ProxyJump to work, it suffices to add the SSH public key of my local machine to ~/.ssh/authorized_keys of target.example.

Previously I had only added the key of the local machine to gateway.example (and of course the key of gateway to target.example as well), but it turns out that this is not sufficient for ProxyJump.

Improve this answer
1
  • While this works, it isn't the correct solution because you are still required to add config onto the target machine - If the proxyjump can access the target it should be sufficient for the target to have no knowledge of your machine Commented Sep 20, 2024 at 9:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.