At work, I need to access some blade servers that are on a private network. The only way to get into these machines is to shell into a lab box first, and then shell into a blade.
alan@desktop:~$ ssh root@labaccess Last login: Tue Feb 17 10:13:52 2009 from desktop [root@labaccess ~]# ssh root@blade3 root@blade3's password:-****** Last login: Tue Feb 17 10:14:03 2009 from labaccess [root@blade3 ~]#
A while back, I picked up this little nugget from the TriLUG mailing list (thanks to Magnus Hedemark). There is a way to make this intermediate hop automatically. Simply add the following to $HOME/.ssh/config:
Host blade3 blade5 blade10 ProxyCommand ssh root@labaccess "nc %h %p" 2>/dev/null
Now, when I try to ssh directly from my desktop to one of the blades, it first establishes an SSH session to the labaccess machine, and then netcat’s all of my original SSH traffic directly to the target blade.
This process will ask you for 0, 1 or 2 passwords, depending on whether your public key (from
desktop) is in the $HOME/.ssh/authorized_keys files on the
bladeX machines. Since I have my public key on all of the machines, this is what I see now:
alan@desktop:~$ ssh root@blade3 Last login: Tue Feb 17 10:17:21 2009 from labaccess [root@blade3 ~]#
This also means that I can
scp files directly from my desktop to the blades, without having to dump them on the labaccess machine.
By the way, this trick provides an EXCELLENT reason to consider re-flashing your home router with Tomato firmware, which has ssh and netcat built-in.
Host homepc1 homepc2 ProxyCommand ssh root@router "nc %h %p" 2>/dev/null