At work, I need to access some blade servers that are on a private network. The only way to get into these machines is to shell into a lab box first, and then shell into a blade.

alan@desktop:~$ ssh root@labaccess
Last login: Tue Feb 17 10:13:52 2009 from desktop
[root@labaccess ~]# ssh root@blade3
root@blade3's password:-******
Last login: Tue Feb 17 10:14:03 2009 from labaccess
[root@blade3 ~]#

A while back, I picked up this little nugget from the TriLUG mailing list (thanks to Magnus Hedemark). There is a way to make this intermediate hop automatically. Simply add the following to $HOME/.ssh/config:

Host blade3 blade5 blade10
    ProxyCommand ssh root@labaccess "nc %h %p" 2>/dev/null

Now, when I try to ssh directly from my desktop to one of the blades, it first establishes an SSH session to the labaccess machine, and then netcat’s all of my original SSH traffic directly to the target blade.

This process will ask you for 0, 1 or 2 passwords, depending on whether your public key (from desktop) is in the $HOME/.ssh/authorized_keys files on the labaccess and bladeX machines. Since I have my public key on all of the machines, this is what I see now:

alan@desktop:~$ ssh root@blade3
Last login: Tue Feb 17 10:17:21 2009 from labaccess
[root@blade3 ~]#

This also means that I can scp files directly from my desktop to the blades, without having to dump them on the labaccess machine.

By the way, this trick provides an EXCELLENT reason to consider re-flashing your home router with Tomato firmware, which has ssh and netcat built-in.

Host homepc1 homepc2
    ProxyCommand ssh root@router "nc %h %p" 2>/dev/null