identity-file not applied to forwarded connection

yokawasa / kubectl-plugin-ssh-jump

A kubectl plugin to access nodes or remote services using a SSH jump Pod

Apache License 2.0

176 stars 18 forks source link

identity-file not applied to forwarded connection #1

Closed pniederlag closed 5 years ago

pniederlag commented 5 years ago

first of all, thx for publishing this plugin

I do have troubles on getting the connection to work. While debugging I found that this is the "final" ssh connection string that is used:

ssh -i /home/pn/.ssh/id_MYKEY -J root@127.0.0.1:2222 MYUSER@MYNODE

ssh extracts an ssh jump-host command from the '-J' option that results in:

debug1: Setting implicit ProxyCommand from ProxyJump: ssh -l root -p 2222 -v -W '[%h]:%p' 127.0.0.1

In this command the "-i /home/pn/.ssh/id_MYKEY" thingy get's lost. :-<

ssh then seems to attempt a bunch of my ssh keys that are lying around but doesn't pick up the correct (but NON standard named) key.

I could fix this by applying a general ssh-config like so:

Host 127.0.0.1
    Port 2222
    IdentityFile ~/.ssh/id_MYKEY

While I can get ssh-jump working this way it's not really nice as I don't want to tie 127.0.0.1 to this port/key in general.

Do you have an idea how this could be handled inside ssh-jump?

Thx for your time and feedback, greets, Peter

yokawasa commented 5 years ago

@pniederlag Thank you for opening issue. I'll take a look on this. Can you please share the following info?

(1) options for kubectl ssh-jump <dest_node> [options]
(2) Port number to which your destination node listen (normally it would be 22)

pniederlag commented 5 years ago

cat ~/.kube/kubectlssh/options

sshuser=devops
identity=/home/pn/.ssh/id_MYKEY
pubkey=/home/pn/.ssh/id_MYKEY.pub

portnumber is 22

# from man ssh for '-J':
Note that configuration  directives supplied on the command-line generally
apply to the destination host and not any specified jump hosts.
Use ~/.ssh/config to specify configuration for jump hosts.

That's exactly my problem, the -i affects the destination host, but not the jumpHost :-<

Thx for looking into this

yokawasa commented 5 years ago

@pniederlag Could you please try the following script?

https://gist.github.com/yokawasa/ead6650601f40a85ee2870cd1e48b7b6

In the script, I changed the way to logon to a target node via ssh-jump like this:

 # ssh -i ${identity} -J root@127.0.0.1:2222 ${sshuser}@${destnode} 
 ssh -i ${identity} -p ${port} ${sshuser}@${destnode} -o "ProxyCommand ssh root@127.0.0.1 -p 2222 -i ${identity} \"nc %h %p\""

I'd like to know if it will work for you. Please try this like this and let me know how it will work.

curl -s https://gist.githubusercontent.com/yokawasa/ead6650601f40a85ee2870cd1e48b7b6/raw/a5a517dbf5aa511a8ae963ddd273868bc95c7329/kubectl-ssh-jump -o kubectl-ssh-jump
chmod +x ./kubectl-ssh-jump
./kubectl-ssh-jump <nodename>

yokawasa commented 5 years ago

@pniederlag Please kindly let me know if the script will work for you

yokawasa commented 5 years ago

kubectl-plugin-ssh-jump-0.2.0 has been released. Here is CHANGELOG

https://github.com/yokawasa/kubectl-plugin-ssh-jump/blob/master/CHANGELOG.md

I believe the issue can be resolved with the new plugin.

please upgrade the plugin:

 kubectl krew upgrade ssh-jump

pniederlag commented 5 years ago

I can confirm 0.2.0 fixes the problem. Big Thx for your efforts and your great support! :->

Best greets, Peter