• Uncategorized

About bash : How-to-use-a-jumphostjump-server-in-a-script

Question Detail

I need to write a script to be able to run cmds on our test servers in our secure, off-site lab. The problem is these test servers are behind a jump server/jump host. Manually, I either type:

bash$ ssh -A jumphost
jumphost$ ssh server1

or I edited my personal .ssh/config file to use the jump host

ForwardAgent yes
Host server1
ProxyCommand ssh -q jumphost nc <ip of server1> 22

to access them. How do I do this inside my script so that ssh doesn’t stop/terminate at ssh -A jumphost?

I tried to run

ssh jumphost nc <ip of server1> 22 "ls /tmp"

or

ssh jumphost nc <ip of server1> 22

or

ssh -A jumphost nc <ip> 22

but it complains of a protocol mismatch. I don’t control the jump host so I can’t just leave scripts/programs at a common place for people to use. I also don’t think IT will make a jump host for us to use exclusively.

Is there a way for me to run scripts thru a jump host? Thanks in advance for your help. If there isn’t a way, I’ll just tell IT they need to allow me to copy my scripts to the jump host b/c the experts on stackoverflow said it needed to be done =)

Question Answer

Something along the lines of:

ssh -At jumpserver ssh -At server1

should work. The -t makes sure that a pseudo-tty is allocated where needed (it may not be necessary on the second one, but I don’t have a setup where I can test that at the moment, and it won’t hurt). This also has the benefit that when you exit from server1, both sessions go away…

Update ~/.ssh/config file as follows,

Host JumpHost
    Hostname 111.255.223.108
    User jump-user
    IdentityFile ~/Keys/JumpHost.pem
    AddKeysToAgent yes

Host PrivateHost
    Hostname 120.010.111.166
    IdentityFile ~/Keys/my-private-key.pem
    User private-user
    AddKeysToAgent yes
    ProxyJump JumpHost

Then ssh on the command line, ssh PrivateHost

Without config files, with different ports, different keys and different users:
jump host port: 2244, target host port: 2266 (ports are just examples). If standard port (22) is used, then -p/-P options can be omitted.

OUTPUT=$(ssh -o ProxyCommand="ssh -W %h:%p [email protected]$JUMPHOST_IP -p 2244 -i jumphost_key_file" -oStrictHostKeyChecking=accept-new [email protected]$TARGETHOST_IP -p 2266 -i targethost_key_file 'command')
echo $OUTPUT

-oStrictHostKeyChecking option is for automatically accepting ECDSA key. If this is a security issue for you, you should take out this option, but then first time need to acknowledge manually.
Also don’t forget to allow agentforwarding on jump host in sshd_config.
It may also be necessary to allow TCPForwarding as well on jump host in sshd_config, and maybe in /etc/sysctl.conf need to uncomment/enable net.ipv4.ip_forward = 1.

if you want to run a local script on the target host:

OUTPUT=$(ssh -o ProxyCommand="ssh -W %h:%p [email protected]$JUMPHOST_IP -p 2244 -i jumphost_key_file" [email protected]$TARGETHOST_IP -p 2266 -i targethost_key_file 'bash -c' <local_bash_script.sh)
echo $OUTPUT

scp can also be used like this:

scp -o ProxyCommand="ssh -W %h:%p [email protected]$JUMPHOST_IP -p 2244 -i jumphost_key_file" -i targethost_key_file -P 2266 local_file_to_copy.txt [email protected]$TARGETHOST_IP:/tmp/new_file_name.txt

note capital P for port in scp command, but not in ssh! omit new_file_name.txt if you don’t want to change the file name. I have this running on debian 10
Hope this helps if you don’t want to maintain config files.

You may also like...

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.