I need to write a script to be able to run cmds on our test servers in our secure, off-site lab. The problem is these test servers are behind a jump server/jump host. Manually, I either type:
bash$ ssh -A jumphost
jumphost$ ssh server1
or I edited my personal .ssh/config file to use the jump host
ProxyCommand ssh -q jumphost nc <ip of server1> 22
to access them. How do I do this inside my script so that ssh doesn’t stop/terminate at ssh -A jumphost?
I tried to run
ssh jumphost nc <ip of server1> 22 "ls /tmp"
ssh jumphost nc <ip of server1> 22
ssh -A jumphost nc <ip> 22
but it complains of a protocol mismatch. I don’t control the jump host so I can’t just leave scripts/programs at a common place for people to use. I also don’t think IT will make a jump host for us to use exclusively.
Is there a way for me to run scripts thru a jump host? Thanks in advance for your help. If there isn’t a way, I’ll just tell IT they need to allow me to copy my scripts to the jump host b/c the experts on stackoverflow said it needed to be done =)
Something along the lines of:
ssh -At jumpserver ssh -At server1
should work. The
-t makes sure that a pseudo-tty is allocated where needed (it may not be necessary on the second one, but I don’t have a setup where I can test that at the moment, and it won’t hurt). This also has the benefit that when you exit from
server1, both sessions go away…
~/.ssh/config file as follows,
Then ssh on the command line,
Without config files, with different ports, different keys and different users:
jump host port: 2244, target host port: 2266 (ports are just examples). If standard port (22) is used, then -p/-P options can be omitted.
OUTPUT=$(ssh -o ProxyCommand="ssh -W %h:%p [email protected]$JUMPHOST_IP -p 2244 -i jumphost_key_file" -oStrictHostKeyChecking=accept-new [email protected]$TARGETHOST_IP -p 2266 -i targethost_key_file 'command')
-oStrictHostKeyChecking option is for automatically accepting ECDSA key. If this is a security issue for you, you should take out this option, but then first time need to acknowledge manually.
Also don’t forget to allow agentforwarding on jump host in sshd_config.
It may also be necessary to allow TCPForwarding as well on jump host in sshd_config, and maybe in /etc/sysctl.conf need to uncomment/enable net.ipv4.ip_forward = 1.
if you want to run a local script on the target host:
OUTPUT=$(ssh -o ProxyCommand="ssh -W %h:%p [email protected]$JUMPHOST_IP -p 2244 -i jumphost_key_file" [email protected]$TARGETHOST_IP -p 2266 -i targethost_key_file 'bash -c' <local_bash_script.sh)
scp can also be used like this:
scp -o ProxyCommand="ssh -W %h:%p [email protected]$JUMPHOST_IP -p 2244 -i jumphost_key_file" -i targethost_key_file -P 2266 local_file_to_copy.txt [email protected]$TARGETHOST_IP:/tmp/new_file_name.txt
note capital P for port in scp command, but not in ssh! omit new_file_name.txt if you don’t want to change the file name. I have this running on debian 10
Hope this helps if you don’t want to maintain config files.