1

Is it possible to set SSH up so that for any attempted connection it first tries to connect directly, if that fails it tries to connect via another host. If that fails, it tried to connect via another host and so on. I have a list of such hosts.

For example

sshing into "database.companyB.com"

would first try directly, but it would fail (no key signed)

Then it would try to go via companyA.com and that would also fail

Then it would try to go via companyB.com and that would succeed.

I know transparent forwarding can be done on a host-by-host basis, but is it possible to do this?

Improve this question
2
  • Do you mean you have credential @database.companyB.com as well as companyA.com and companyB.com and want to try if connection are accepted directly, from companyA.com and from companyB.com ?
    – M'vy
    Commented Jul 2, 2012 at 11:53
  • I mean, for ANY host I attempt to connect to, it should first attempt to connect directly. Only if that fails should it go down the list of intermediate hosts to try, to see if any of them are authorised. The point of this is to be able to SSH into any of my company's servers, even when I don't have authorisation on them (I do have authorisation on the "master" intermediate servers)
    – Ivy
    Commented Jul 2, 2012 at 12:22

1 Answer 1

Reset to default
1

First of all, we can set up proxy connection.

Let's consider you want to access A.dm.com, but you need to go through B.dm.com before. We can edit our .ssh/config file with : 

Host A-s1
Hostname A.dm.com
Compression yes
User mvy
ProxyCommand ssh B.dm.com nc %h %p 2> /dev/null

this enable us to do 

ssh A-s1

It will ask for B password, then A password, then we're in. That way you can do : 

ssh A-s1 exit

If $? is 0 then this is a success and you can connect with the pass-through.

All you need now is a script that try connection for each server and print the result of $?

Improve this answer
2
  • This looks like it should work, but I get asked: [email protected]'s password: (names changed to match example) Now I know that [email protected] can log into [email protected], so I don't know what's happening here.
    – Ivy
    Commented Jul 2, 2012 at 13:01
  • Not sure what you need, but you can change the username you need to connect on A with the User directive, and put a user@ before B.dm.com if you need to connect to B using another username.
    – M'vy
    Commented Jul 2, 2012 at 13:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .