Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
52 lines (38 sloc) 1.74 KB
#!/bin/bash
set -e
################################################################################
# Set up a simple two-hop SSH tunnel: YOU -> JUMP_HOST -> EXIT_HOST -> INTERNET
#
# USAGE: KEY_PASSPHRASE=foobar ./setup_ssh_tunnel.sh
################################################################################
SOCKS_PORT=127.0.0.1:1984
TUNNEL_NAME=hophop
KEY_FILE=~/.ssh/${TUNNEL_NAME}_id_rsa
JUMP_HOST_IP=10.1.1.1
JUMP_HOST_USER=root
EXIT_HOST_IP=10.2.2.2
EXIT_HOST_USER=root
# Generate a key pair.
ssh-keygen -t rsa -N "$KEY_PASSPHRASE" -f $KEY_FILE -C ""
# Connect to the jump host using password authentication. This is useful if there is a forced password change on first
# login (e.g. with DigitalOcean's Droplets) and when your local ssh-agent has >5 keys in it (i.e. login will fail).
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no $JUMP_HOST_USER@$JUMP_HOST_IP
# Copy the public key to the jump host.
ssh-copy-id -i $KEY_FILE $JUMP_HOST_USER@$JUMP_HOST_IP
# Add the two-hop SSH tunnel configuration into .ssh/config for easy use.
cat >> ~/.ssh/config << __EOF__
Host $TUNNEL_NAME
DynamicForward $SOCKS_PORT
Hostname $EXIT_HOST_IP
IdentitiesOnly yes
IdentityFile $KEY_FILE
ProxyJump $JUMP_HOST_USER@$JUMP_HOST_IP
User $EXIT_HOST_USER
__EOF__
# Connect to the exit host via the jump host. Useful for the same reasons as before. Password authentication isn't
# needed this time, as any ssh-agent running on a clean jump host should be unused.
ssh $TUNNEL_NAME
# Copy the public key to the exit host via the jump host.
cat $KEY_FILE.pub | ssh $TUNNEL_NAME "cat >> ~/.ssh/authorized_keys"
# Finally, confirm the two-hop SSH tunnel with public-key authentication works.
ssh $TUNNEL_NAME 'echo $SSH_CONNECTION'