Multihop shared SSH tunnel

Question

I would like to create a multihop SSH tunnel that allows multiple SSH sessions for users but only uses one SSH session on the Second Hop.

Scenario:

User 1 --\
         |
User 2   ---> First Hop ---> Second Hop ---> Svr
         |
User 3 --/

First Hop is a shared user that everyone uses (call it user1) Second Hop is also a shared user (call it user2) Svr uses the arguments provided

The way I have it set up currently is:

1. An end user will do "ssh user1@FirstHop "
2. user1's login shell on First Hop is an expect script
3. expect script does "ssh user2@SecondHop" and gets the login prompt from Svr
4. expect script sends Svr user/Svr pass and logs in to Svr
5. end user is logged in to Svr

My problem is that the Second Hop server has a 10 ssh session limit per user, and since it's a shared user and there are way more than 10 users trying to login to Svr, I often get "Too many logins for user".

I have root access to the First Hop, but not the Second Hop.

Is there a way to provide the same functionality but only using ONE ssh session on the Second Hop?

I tried the regular ssh -L :localhost: tunneling method, but i don't think that will work. It sounds like SOCKS proxy is the way to go, but I cannot get it to work.

Answer 1

It could be done with one LocalForward from FirstHop to SecondHop.
This should only be started once in a tmux/screen/nohup session.

FirstHop$ ssh userSecondHop@secondHop -L 2022:<EndServer>:22

A user can connect to the EndServer by

ssh EndUser@localhost -p 2022 -J defaultUser@firsthop

Btw. If you can't switch to private/public keys, would recommend to use the SSH-variables instead of expect scripts.

SSH_ASKPASS=myScript.sh
SSH_ASKPASS_REQUIRE=prefer