Ssh through bastion host (jump host)

Question

Can somebody give me a one liner ssh command which can connect to remote host through bastion host (jump host). I am not interested in updating ssh config.

I have tried below command but didn't work. Any corrections would be appreciated for below command.

ssh -i remote.pem user@remote -o "ProxyCommand ssh -W %h:%p -i bastion.pem user@bastion"

Below is the exact error details:

$ ssh -i key user@remote -o "ProxyCommand ssh -W %h:%p -i key user@bastion" -vvv hostname
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname remote is address
debug1: Executing proxy command: exec ssh -W remote:22 -i key user@bastion
debug1: identity file key type -1
debug1: identity file key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
Host key verification failed.
kex_exchange_identification: Connection closed by remote host

Can somebody help me

Based on answer proposed by @Martin

I am able to do below:

ssh user@bastion

But if I do

ssh -i remote.pem -i bastion.pem -J user@bastion user@remote

I am getting below error:

OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname <remote> is address
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -l user -vvv -W '[%h]:%p' <bastion>
debug1: Executing proxy command: exec ssh -l user -vvv -W '[<remote>]:22' <bastion>
debug1: identity file key type -1
debug1: identity file key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname <bastion> is address
debug2: ssh_connect_direct
debug1: Connecting to <bastion> [<bastion>] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to <bastion>:22 as 'user'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<#############>
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
kex_exchange_identification: Connection closed by remote host

Martin Prikryl · Answer 1 · 2021-09-10T10:11:05.313

Host key verification failed.

It seems that you have not verified a hostkey of the "bastion" server. You cannot verify it, when the connection is created using ProxyCommand directive.

As you are using OpenSSH 8.1, you can use -J (jump) switch, instead of ProxyCommand directive:

ssh -i remote.pem -i bastion.pem -J user@bastion user@remote

See also Does OpenSSH support multihop login?

With the -J switch, you should get a normal host key verification prompt.

Alternatively, first connect to the "bastion" only to verify its host key:

ssh user@bastion

As you use ssh in some isolated non-interactive environment, you will have to copy the known_hosts file created by the above commands to that environment.

Or use some techniques hinted in ssh command line specify server host key fingerprint.

score -1 · Answer 2 · answered Nov 03 '19 at 22:22

-1

Finally this command worked:

ssh -o ProxyCommand="ssh -i key -o StrictHostKeyChecking=no -W %h:%p user@bastion" -i key -o StrictHostKeyChecking=no user@remote

I think adding StrictHostKeyChecking=no helped to make it work.

answered Nov 03 '19 at 22:22

Deepak Janyavula

149

Ssh through bastion host (jump host)

2 Answers2