SSH and identity file for jump server

Question

I'm trying to log into my-server through a jump server, jump.example.com.

I can successfully log into the jump server without a password request:

ssh -i .ssh/id_rsa [email protected]

But if I use

ssh -i .ssh/id_rsa -o ProxyCommand="ssh -W %h:%p [email protected]" user@my-server
# or
ssh -i .ssh/id_rsa -J [email protected] user@my-server

I'm prompted for a password for [email protected]. I would not be surprised if I would prompted for a password for user@my-server instead.

How can I specify an identity file for the jump server?

Answer 1

I would suggest to add the following to your ssh config

Host my_server
        Hostname my-server
        ProxyCommand ssh -W %h:%p jump_server
        User user
        IdentityFile path/to/ssh/identity/file
        Port 22
 
Host jump_server
        Hostname jump.example.com
        User user
        IdentityFile path/to/ssh/identity/file
        Port 22
        

Finally to connect to your target server use

ssh my_server

Answer 2

A slight necro here, but I just ran into the same problem. However in my case I was easily able to solve it looking at the original post. In the original post, this command was tried:

ssh -i .ssh/id_rsa -o ProxyCommand="ssh -W %h:%p [email protected]" user@my-server

But it had already been indicated that the specified identity file, ".ssh/id_rsa" was for "jump.example.com" and not "my-server". So if you move the identity file parameter into the ProxyCommand, it should work as intended:

ssh -i .ssh/id_rsa -o ProxyCommand="ssh -W %h:%p [email protected] -i .ssh/id_rsa" user@my-server

In my specific case and testing I had a non-standard port to connect to at my "jump.example.com" server, so my command looked more like (port changed to protect the foolish):

ssh -o ProxyCommand="ssh -W %h:%p [email protected] -p 30000 -i .ssh/id_rsa" user@my-server

When I executed this command I received a prompt to type the password at "my-server". I went just a bit further and created a different (and temporary) authorized key on my client machine for "my-server" and made it completely there without a password with this command:

ssh -o ProxyCommand="ssh -W %h:%p [email protected] -p 30000 -i .ssh/id_rsa" user@my-server -i .ssh/temp_id_rsa

For situations where you do something often without change, going the ssh_config solution is arguably better in multiple ways. But in my case I use ssh tunnels to pivot throughout a dynamic test environment that changes multiple times a day and I come from different locations, so a single command makes more sense.