0

I'm trying to make a private system with four machines in it, lets call them

Host - IP 1,
Proxy - IP 2,
Server - IP 3,
Application - IP 4

A user connects to the host via ssh (I have this working without requiring a password), from the host, you can then connect to the proxy, application or server using ssh, but requires a password. I wish to be able to ssh without needing a password. However, I'm not quite sure how to implement this, but its clearly wrong, as the connection just hangs when i try it, the user has an account on all so "john" exists on all machines, currently I am simply connecting "john" to "john", so I don't have do do the whole name@server thing (but maybe its better to do that idk, I can connect to john using 'ssh IP' or to a different user using 'name@IP')

As an example, I have the following (is the hostname required? the application doesn't necessarily have one), this variation hangs

Host IP 3
HostName ServerHostName
User john
ProxyJump IP 1

This variation still requires the password

Host IP 1
HostName ServerHostName
User john
ProxyJump IP 3

How exactly do I implement the .ssh/config file to correctly connect without requiring a password?

A diagram of the connection

Diagram of desired connection

Improve this question

1 Answer 1

Reset to default
0

For your diagram, the three "inside" servers should have a ProxyJump <host>, and the host itself should not have a ProxyJump at all.

However, no amount of proxying and jumping will remove the authentication requirement. Your inside servers treat all incoming connections equally; there is no way to pre-authenticate the ones coming through the host, especially due to the way ProxyJump works (the SSH client runs on the user's local system and not on the proxy).

If you currently have a passwordless login system for the host (e.g. public key with an authorized_keys file), then just replicate the same to all other servers. First the client will use their pubkey or ticket for the Host and then they'll use the same key for the Application.

(If you were using Host as an interactive shell server – where the user connects to a shell, then manually runs another 'ssh' command – you could e.g. use Hostbased authentication. But you would still end up losing convenience, not gaining any.)

Improve this answer
8
  • Should have been more clear, the host is actually a bastion host which the user connects to, and it was to my understanding that a bastion host can be used as a proxyjump to the other machines on the network, just not sure how to actually implement it (new to the whole thing and attempts I make fail), may have got some wires crossed in my question, it was really late when I asked it. I was told it is possible to get ssh connections through the bastion not requiring a password as the bastion has a key pairing, but was never given any guidance or information on how do to so.
    – Anan
    Commented Sep 21, 2020 at 4:18
  • There's no such thing. Maybe you've read about bastion hosts implemented like normal SSH servers, where the person first ssh's into the bastion, has a regular id_rsa file therein, and uses it to ssh into the next server. But that can't possibly work with ProxyJump as the proxy host only sees the encrypted SSH connection and has no chance to interact with it.
    – grawity_u1686
    Commented Sep 21, 2020 at 4:46
  • so after logging into the host using ssh (with no password requirement due to certificate and key authentication) this can't be replicated from the host to another server a layer down? I currently go user>>ssh IP1>>host>>ssh IP3>>password>>server and just want to be able to go user>>ssh IP1>>host>>ssh 3>>server :/ googling implies its possible by modifying the .ssh/config file but i cant get it to work
    – Anan
    Commented Sep 21, 2020 at 5:53
  • Sounds like you completely misunderstood every single thing I wrote... Do all your servers have the same authorized_keys file copied to them?
    – grawity_u1686
    Commented Sep 21, 2020 at 6:41
  • probably did misunderstand, is the authorized key not the prompt made when first connecting and authenticating? Or is there something else i need to copy over first? the bastion host does use openvpn if that matters for an alternate method
    – Anan
    Commented Sep 21, 2020 at 6:48

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .