SSH ProxyCommand on SSH server side


Using the SSH ProxyCommand directive in the client ~/.ssh/config file it is possible to connect to a SSH server through a different SSH server acting as a jump host.

Is there a similar configuration for the SSH server side? E.g., when the user logs on to a jump machine with a certain authorized key, I want this SSH connection to be automatically forwarded to another machine also running sshd.

Best Answer

You can specify a command that is executed whenever someone logs in using a ssh key.

Edit the file ~/.ssh/authorized_keys. Prepend every key you want to forward with a command=ssh user@target.

This has to be done for every user. Since this is done using a user configuration file, every user may change this. If you trust your users (or you are the only user) then this is ok. You can also prevent users from changing this by not giving them any other means to access the shell on this machine.

For more information read the sshd man page. Search for the AUTHORIZED_KEYS FILE FORMAT section, and then for command="command".

Alternatively: you can force a command using a ForceCommand in /etc/ssh/sshd_config. This option is more secure as it is enforced by sshd, and only users with root privileges can change that.

For more information read the sshd_config man page. Search for ForceCommand.

Related Question