How to use a jumphost/jump server in a script

StackOverflow https://stackoverflow.com/questions/17372177

  •  01-06-2022
  •  | 
  •  

Question

I need to write a script to be able to run cmds on our test servers in our secure, off-site lab. The problem is these test servers are behind a jump server/jump host. Manually, I either type:

bash$ ssh -A jumphost
jumphost$ ssh server1

or I edited my personal .ssh/config file to use the jump host

ForwardAgent yes
Host server1
ProxyCommand ssh -q jumphost nc <ip of server1> 22

to access them. How do I do this inside my script so that ssh doesn't stop/terminate at ssh -A jumphost?

I tried to run

ssh jumphost nc <ip of server1> 22 "ls /tmp"

or

ssh jumphost nc <ip of server1> 22

or

ssh -A jumphost nc <ip> 22

but it complains of a protocol mismatch. I don't control the jump host so I can't just leave scripts/programs at a common place for people to use. I also don't think IT will make a jump host for us to use exclusively.

Is there a way for me to run scripts thru a jump host? Thanks in advance for your help. If there isn't a way, I'll just tell IT they need to allow me to copy my scripts to the jump host b/c the experts on stackoverflow said it needed to be done =)

Was it helpful?

Solution

Something along the lines of:

ssh -At jumpserver ssh -At server1

should work. The -t makes sure that a pseudo-tty is allocated where needed (it may not be necessary on the second one, but I don't have a setup where I can test that at the moment, and it won't hurt). This also has the benefit that when you exit from server1, both sessions go away...

OTHER TIPS

Update ~/.ssh/config file as follows,

Host JumpHost
    Hostname 111.255.223.108
    User jump-user
    IdentityFile ~/Keys/JumpHost.pem
    AddKeysToAgent yes

Host PrivateHost
    Hostname 120.010.111.166
    IdentityFile ~/Keys/my-private-key.pem
    User private-user
    AddKeysToAgent yes
    ProxyJump JumpHost

Then ssh on the command line, ssh PrivateHost

Without config files, with different ports, different keys and different users: jump host port: 2244, target host port: 2266 (ports are just examples). If standard port (22) is used, then -p/-P options can be omitted.

OUTPUT=$(ssh -o ProxyCommand="ssh -W %h:%p $JUMPHOST_USER@$JUMPHOST_IP -p 2244 -i jumphost_key_file" -oStrictHostKeyChecking=accept-new $TARGETHOST_USER@$TARGETHOST_IP -p 2266 -i targethost_key_file 'command')
echo $OUTPUT

-oStrictHostKeyChecking option is for automatically accepting ECDSA key. If this is a security issue for you, you should take out this option, but then first time need to acknowledge manually. Also don't forget to allow agentforwarding on jump host in sshd_config. It may also be necessary to allow TCPForwarding as well on jump host in sshd_config, and maybe in /etc/sysctl.conf need to uncomment/enable net.ipv4.ip_forward = 1.

if you want to run a local script on the target host:

OUTPUT=$(ssh -o ProxyCommand="ssh -W %h:%p $JUMPHOST_USER@$JUMPHOST_IP -p 2244 -i jumphost_key_file" $TARGETHOST_USER@$TARGETHOST_IP -p 2266 -i targethost_key_file 'bash -c' <local_bash_script.sh)
echo $OUTPUT

scp can also be used like this:

scp -o ProxyCommand="ssh -W %h:%p $JUMPHOST_USER@$JUMPHOST_IP -p 2244 -i jumphost_key_file" -i targethost_key_file -P 2266 local_file_to_copy.txt $TARGETHOST_USER@$TARGETHOST_IP:/tmp/new_file_name.txt

note capital P for port in scp command, but not in ssh! omit new_file_name.txt if you don't want to change the file name. I have this running on debian 10 Hope this helps if you don't want to maintain config files.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top