How to passing a prompt password after a Jump Server?

Question

I'm having a Jump Server and a Target Server that I would like to connect to as this

myPc > JumpServer > TargetServer

in first step I can do ssh-keygen to skip password authentication, however when in step 2, due to security matters, ssh-keygen was not installed and I can't do anything about it. So I was thinking to pass the password in one single command on my PC. What I have tried so far:

sshpass -p myPassword ssh -At username@JumpServer ssh -A username@targetServer
ssh -J username@JumpServer username@targetServer

But none works, any advices ?

Answer 1

First decide if you want to daisy-chain sshs or you want "nested tubes" ssh -J gives you. Read this answer of mine to see what I mean. You tried both and it's not clear which one you want. In general ssh -J is better (e.g. port forwarding or allocating a tty is simpler than in the daisy-chain case).

• If you want ssh -J (I recommend this) then only keys available to your local ssh will matter. No SSH client will be invoked on the jump host. Your private keys (if any) stored on jump host will be irrelevant, so the fact you cannot run ssh-keygen there to create them does not matter; they would be of no use anyway. Your local identity can be used to authenticate you on the jump host and on the target server. I assume you have run ssh-keygen locally. First register your key on the jump host by running the following command locally:

  ssh-copy-id username@JumpServer
  

  Then use the jump host to connect to the target server and register your key there. Run this locally:

  ssh-copy-id -o ProxyJump=username@JumpServer username@targetServer
  

  ^{Note ssh -J … is a shortcut to specify ssh -o ProxyJump=…, but since ssh-copy-id does not support -J, we had to use the other syntax here.}

  Now, if both servers are configured to allow key-based authentication then you will be able to ssh -J username@JumpServer username@targetServer from your local machine.

• If you want to daisy-chain sshs then it's reasonable to have a private key on the jump host and use it to authenticate when sshing to the target server. I understand you cannot run ssh-keygen on the jump host. You can still create a key locally, register it on the target server and move (or copy) the keypair to the jump host, so the files will be there as if you had created them there with ssh-keygen.

In general each SSH server may be configured to disallow certain things and this may limit your options or impose certain actions. E.g. if you have managed to make the jump host accept your key, but the target server asks for password no matter what, then this local command will be handy:

sshpass -p'myPassword' ssh -J username@JumpServer username@TargetServer

^{(This idea has already been posted in a comment.)}

Notes:

• sshpass -f… should be preferred over sshpass -p….
• The server may use a custom prompt for password, so maybe you need to tell sshpass what prompt to expect (example).