On 9/12/20 5:46 AM, Chris Green wrote:
> I currently use password authentication for a connection through a
> proxy to my home linux desktop.
Okay.
> Since the connection isn't *always* through a proxy (not necessary
> if I'm at home, just connect across the LAN) I have the following in
> my ~/.ssh/config file:-
>
> Match host esprimo exec "hostNotLocal esprimo"
I don't recognize "hostNotLocal". Is that a wrapper script that checks
to see if the parameter is on the local network or not?
> ForwardX11 true
> ProxyCommand ssh cheddar nc -q0
zbmc.eu 22
You don't need to use nc to do this. Check out the "-W" option to
modern OpenSSH clients. It saves a process on cheddar.
> host esprimo
> ForwardX11 true
Okay.
> If I add the client laptop's public key to cheddar and esprimo
> what else do I need to do to make a connection through cheddar?
> I will get Public Key authentication into cheddar but do I have to
> add 'ForwardAgent yes' to the proxy section? ... or is something
> else needed?
No, you don't need ForwardAgent.
The ssh connection from your client notebook to cheddar is only used as
part of the transport between your client notebook and esprimo.
Your client notebook will be the endpoint for both SSH connection;
client & cheddar, as well as client & esprimo. As such, you client will
have the local agent when authenticating to esprimo.
See my Empowering OpenSSH article for a more full description on what's
happening.
Link - Empowering OpenSSH
-
https://dotfiles.tnetconsulting.net/articles/2015/0506/empowering-openssh.html
Note: OpenSSH didn't have the ProxyJump or "-W" options when I wrote
this article. They would streamline this process.
Aside: You probably should check out ProxyJump and / or "-W". ;-)
--
Grant. . . .
unix || die