Connection through a proxy with PublicKey authentication - how to configure it?

[Chris Green]

I currently use password authentication for a connection through a
proxy to my home linux desktop.

Since the connection isn't *always* through a proxy (not necessary if
I'm at home, just connect across the LAN) I have the following in my
~/.ssh/config file:-

Match host esprimo exec "hostNotLocal esprimo"
ForwardX11 true
ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

host esprimo
ForwardX11 true

If I add the client laptop's public key to cheddar and esprimo what
else do I need to do to make a connection through cheddar? I will get
Public Key authentication into cheddar but do I have to add
'ForwardAgent yes' to the proxy section? ... or is something else
needed?


--
Chris Green
·

[Grant Taylor]

On 9/12/20 5:46 AM, Chris Green wrote:
> I currently use password authentication for a connection through a
> proxy to my home linux desktop.

Okay.

> Since the connection isn't *always* through a proxy (not necessary
> if I'm at home, just connect across the LAN) I have the following in
> my ~/.ssh/config file:-
>
> Match host esprimo exec "hostNotLocal esprimo"

I don't recognize "hostNotLocal". Is that a wrapper script that checks
to see if the parameter is on the local network or not?

> ForwardX11 true
> ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

You don't need to use nc to do this. Check out the "-W" option to
modern OpenSSH clients. It saves a process on cheddar.

> host esprimo
> ForwardX11 true

Okay.

> If I add the client laptop's public key to cheddar and esprimo
> what else do I need to do to make a connection through cheddar?
> I will get Public Key authentication into cheddar but do I have to
> add 'ForwardAgent yes' to the proxy section? ... or is something
> else needed?

No, you don't need ForwardAgent.

The ssh connection from your client notebook to cheddar is only used as
part of the transport between your client notebook and esprimo.

Your client notebook will be the endpoint for both SSH connection;
client & cheddar, as well as client & esprimo. As such, you client will
have the local agent when authenticating to esprimo.

See my Empowering OpenSSH article for a more full description on what's
happening.

Link - Empowering OpenSSH
-
https://dotfiles.tnetconsulting.net/articles/2015/0506/empowering-openssh.html

Note: OpenSSH didn't have the ProxyJump or "-W" options when I wrote
this article. They would streamline this process.

Aside: You probably should check out ProxyJump and / or "-W". ;-)



--
Grant. . . .
unix || die

[Chris Green]

Grant Taylor <gta...@tnetconsulting.net> wrote:
> On 9/12/20 5:46 AM, Chris Green wrote:
> > I currently use password authentication for a connection through a
> > proxy to my home linux desktop.
>
> Okay.
>
> > Since the connection isn't *always* through a proxy (not necessary
> > if I'm at home, just connect across the LAN) I have the following in
> > my ~/.ssh/config file:-
> >
> > Match host esprimo exec "hostNotLocal esprimo"
>
> I don't recognize "hostNotLocal". Is that a wrapper script that checks
> to see if the parameter is on the local network or not?
>

Yes, it's a trivial little script to test if we're on the LAN with
esprimo or not.

> > ForwardX11 true
> > ProxyCommand ssh cheddar nc -q0 zbmc.eu 22
>
> You don't need to use nc to do this. Check out the "-W" option to
> modern OpenSSH clients. It saves a process on cheddar.
>

Yes, I was using the old fashioned way, I now have:-

ProxyJump cheddar.halon.org.uk

> > host esprimo
> > ForwardX11 true
>
> Okay.
>
> > If I add the client laptop's public key to cheddar and esprimo
> > what else do I need to do to make a connection through cheddar?
> > I will get Public Key authentication into cheddar but do I have to
> > add 'ForwardAgent yes' to the proxy section? ... or is something
> > else needed?
>
> No, you don't need ForwardAgent.
>
> The ssh connection from your client notebook to cheddar is only used as
> part of the transport between your client notebook and esprimo.
>
> Your client notebook will be the endpoint for both SSH connection;
> client & cheddar, as well as client & esprimo. As such, you client will
> have the local agent when authenticating to esprimo.
>
> See my Empowering OpenSSH article for a more full description on what's
> happening.
>
> Link - Empowering OpenSSH
> -
> https://dotfiles.tnetconsulting.net/articles/2015/0506/empowering-openssh.html
>
> Note: OpenSSH didn't have the ProxyJump or "-W" options when I wrote
> this article. They would streamline this process.
>
> Aside: You probably should check out ProxyJump and / or "-W". ;-)
>

See above, I'm now using ProxyJump, and it 'just works' with the
change to Public Key. :-)

Thank you.

--
Chris Green
·

[Grant Taylor]

On 9/13/20 7:51 AM, Chris Green wrote:
> Yes, it's a trivial little script to test if we're on the LAN with
> esprimo or not.

Okay. I was sort of wondering if I was missing a nice little tool. ;-)

> Yes, I was using the old fashioned way, I now have:-
>
> ProxyJump cheddar.halon.org.uk
>

> See above, I'm now using ProxyJump, and it 'just works' with the
> change to Public Key. :-)

*nod*

ProxyJump (and "-W") are nice options.

> Thank you.

You're welcome.