0

I need to connect to a remote machine which then can connect to another one and download a file from there. To read the file, I would do:

ssh REMOTEMACHINE
 - Enter password
ssh HIDDENMACHINE
 - Authenticates via private key on REMOTEMACHINE
less my_file.log

I want to download that file directly instead of viewing it in shell. I found that scp supports proxy command and it works except it cannot do the second hop because it does not read the private key from REMOTEMACHINE:~/.ssh/.

This is my command:

scp -oProxyJump=REMOTEMACHINE HIDDENMACHINE:my_file.log ./my_file.log

And the output is:

someuser@REMOTEMACHINE's password: *******
The authenticity of host 'HIDDENMACHINE (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:XXXXXX.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'HIDDENMACHINE' (ED25519) to the list of known hosts.
someuser@HIDDENMACHINE: Permission denied (publickey).

I was previously doing this programmatically using a ssh library, and my approach then was to first grab the private key from REMOTEMACHINE. Unfortunately the ssh library is bugged and not a suitable solution for downloading multiple files.

Tomáš Zato
  • 4,790

1 Answers1

0

A connection with -oProxyJump=REMOTEMACHINE does not read the private key from REMOTEMACHINE:~/.ssh/ because it's like nested tubes, not like a daisy chain.

A straightforward approach is to copy the private key from REMOTEMACHINE to the local one, then use the local copy of the key. This can be done with scp, sftp or even with:

ssh REMOTEMACHINE 'cat ~/.ssh/id_rsa' > /path/to/private/dir/local_copy

If you don't want to store the key in a local regular file then consider "borrowing" the key:

  1. Start a local ssh-agent (you can skip this step if there is already an agent running and available, and it has got not too many keys (read about a possible problem with too many keys here)):

    #locally
eval "$(ssh-agent)"

  2. Connect to the REMOTEMACHINE with agent forwarding and load ("borrow") the key into the local agent:

    #locally
ssh -A REMOTEMACHINE ssh-add

  3. Now any program that uses the local agent (see "Understanding ssh-agent" in this answer) will be able to authenticate with the "borrowed" key. You can now connect from local to HIDDENMACHINE (with -J/-oProxyJump= if needed).

Kamil Maciorowski
  • 81,893