I have the following ssh connections:
user1@local --> root@machine1 --> root@machine2 --> abc@machine3
I need to be able to connect from local directly to machine3:
[user1@local]$ ssh abc@machine3
At this point I'm fine if I need to enter passwords, though ideally I would like to use ssh keys and no password connections.
I'm able to connect to machine1 and machine2 with sudo, but connecting to machine3 fails:
[user1@local]$ sudo ssh abc@machine3
root@machine1.com's password:
root@machine2.com's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
My /root/.ssh/config file contains the following:
Host machine1
HostName machine1.com
User root
IdentitiesOnly yes
Host machine2
HostName machine2.com
User root
ProxyCommand ssh -W %h:%p machine1
IdentitiesOnly yes
Host machine3
HostName machine3.com
User abc
ProxyCommand ssh -W %h:%p machine2
IdentitiesOnly yes
I'm on OpenSSH_5.3p1 on local machine, hence cannot use ProxyJump. Also there is no netcat support on machines 1,2 and 3.
When I ssh manually, I can only ssh to machine3 from machine2 as abc user and then there is no password required (authorized_keys on machine3 contains public key from machine2). Connecting manually as any other user to machine3 from machine2 results in the same Permission denied error as above.
Any idea how to achieve the desired ssh connection from local machine? Is this doable? Once the tunnel is set I'll need to create some files on machine3 and restart services there - all from script.
EDIT
I tried ssh with verbose and got this:
[user1@local]$ sudo ssh -v abc@machine3
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /root/.ssh/config
debug1: Applying options for machine3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Executing proxy command: exec ssh -W machine3.com:22 machine2
debug1: permanently_drop_suid: 0
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
root@machine1.com's password:
root@machine2.com's password:
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'machine3.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
The only file that exists in .ssh directory on machine3 is authorized_keys.
