top of page
Search
Nov 13, 20212 min read

How to Setup SSH to a Target Behind a Host

Updated: May 14, 2023


This post lists the commands to ssh to a target (<tgt>) behind a host (<hst>) from Linux (<lnx>). Its written as a reference. Replace <tgt>, <tgt-username>, <tgt-ip>, <hst>, <hst-username>, and <lnx> with your values.


Relevant Versions

ssh -V
# OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2l  25 May 2017

#1 Gen <hst> Key

ssh-keygen -t rsa -C "me@mydomain.com"
# Use /home/demo/.ssh/id_rsa_<hst>
# Enter a passphrase
ssh <hst-username>@<hst>
exit 
# Upload your public key with scp
scp ~/.ssh/id_rsa_<hst>.pub <hst-username>@<hst>:~/

#2 Configure <hst> 

# Log into <hst> 
ssh <hst-username>@<hst>
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
cd ~/.ssh
cp authorized_keys authorized_keys_backup
cat ~/id_rsa_<hst>.pub >> authorized_keys
exit

#3 Configure <lnx>

# On your computer, create:
vi ~/.ssh/config
# With:
Host <hst>
User <hst-username>
Hostname <hst>
ServerAliveInterval 240
ServerAliveCountMax 2
IdentityFile ~/.ssh/id_rsa_<hst>
IdentitiesOnly yes
# Now test:
ssh <hst>
# Enter your passphrase
exit

#4 Use ssh-agent to store your passphase so you don't need to keep typing it

# Store your passphrase for this session
eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa_<hst>
# Test
ssh <hst>
exit

#5 Set up a jump to <tgt> (assumes id_<tgt>, the <tgt>'s private key exists in ~/.ssh/id_<tgt>)

ssh <hst>
# On <hst>, enumerate targets
# Get the IP of the <tgt>
ifconfig
# <tgt-ip>
# On <hst>, grab the private key for <tgt>, id_<tgt>
# Test ssh to <tgt>
ssh <tgt-username>@<tgt>

# Back on <lnx>, get <tgt>'s private key
scp <hst>:~/.ssh/id_<tgt> ~/.ssh/

# On your <lnx>, edit ~/.ssh/config
vi ~/.ssh/config
# Add:
Host <tgt>
User <tgt-username>
Hostname <tgt-ip>
ProxyCommand ssh <hst> -W %h:%p
ServerAliveInterval 240
ServerAliveCountMax 2
IdentityFile ~/.ssh/id_<tgt>
IdentitiesOnly yes
# Test
ssh <tgt>

# Note: your full ~/.ssh/config on <lnx> will look like:

Host <hst>
User <hst-username>
Hostname <hst>
ServerAliveInterval 240
ServerAliveCountMax 2
IdentityFile ~/.ssh/id_rsa_<hst>
IdentitiesOnly yes

Host <tgt>
User <tgt-username>
Hostname <tgt-ip>
ProxyCommand ssh <hst> -W %h:%p
ServerAliveInterval 240
ServerAliveCountMax 2
IdentityFile ~/.ssh/id_<tgt>
IdentitiesOnly yes

References


Tags:

bottom of page