Search code examples
sshssh-tunnelsocks

Multihop shared SSH tunnel

I would like to create a multihop SSH tunnel that allows multiple SSH sessions for users but only uses one SSH session on the Second Hop.

Scenario:

User 1 --\
         |
User 2   ---> First Hop ---> Second Hop ---> Svr
         |
User 3 --/

First Hop is a shared user that everyone uses (call it user1) Second Hop is also a shared user (call it user2) Svr uses the arguments provided

The way I have it set up currently is:

  1. An end user will do "ssh user1@FirstHop "
  2. user1's login shell on First Hop is an expect script
  3. expect script does "ssh user2@SecondHop" and gets the login prompt from Svr
  4. expect script sends Svr user/Svr pass and logs in to Svr
  5. end user is logged in to Svr

My problem is that the Second Hop server has a 10 ssh session limit per user, and since it's a shared user and there are way more than 10 users trying to login to Svr, I often get "Too many logins for user".

I have root access to the First Hop, but not the Second Hop.

Is there a way to provide the same functionality but only using ONE ssh session on the Second Hop?

I tried the regular ssh -L :localhost: tunneling method, but i don't think that will work. It sounds like SOCKS proxy is the way to go, but I cannot get it to work.

Solution

  • It could be done with one LocalForward from FirstHop to SecondHop.
    This should only be started once in a tmux/screen/nohup session.

    FirstHop$ ssh userSecondHop@secondHop -L 2022:<EndServer>:22

    A user can connect to the EndServer by

    ssh EndUser@localhost -p 2022 -J defaultUser@firsthop

    Btw. If you can't switch to private/public keys, would recommend to use the SSH-variables instead of expect scripts.

    SSH_ASKPASS=myScript.sh
SSH_ASKPASS_REQUIRE=prefer