Copy SSH public key to system behind a jump box

JaredBusch

When I directly connect via SSH during initial setup, I just use ssh-copy-id to get my public key in place.

But how can I do that if my only SSH access to the system is behind a jump box?

I can SSH in easily with ssh -J jump.domain.com 10.X.X.X with password auth. But I don't want to leave password auth enabled.

I can SSH in once with password and manually create the authorized_keys files (and the .ssh folder for that matter), but then I need to worry about permissions, etc.

black3dynamite

Ok, I think I got it working now.

# From your host to your JUMPBOX
# Not needed if your public key is already in placed
cat ~/.ssh/id_ed25519.pub | ssh jump.domain.com 'umask 0077; mkdir -p .ssh; cat >> .ssh/authorized_keys'

# From your host to the host behind your JUMPBOX
cat ~/.ssh/id_ed25519.pub | ssh -J jump.domain.com 10.X.X.X 'umask 0077; mkdir -p .ssh; cat >> .ssh/authorized_keys'

# Connect to your host behind your JUMPBOX
ssh -J jump.domain.com 10.X.X.X

black3dynamite

@JaredBusch said in Copy SSH public key to ssem behind a jump box:

I can SSH in once with password and manually create the authorized_keys files (and the .ssh folder for that matter), but then I need to worry about permissions, etc.

Will something like this work?

cat ~/.ssh/id_key.pub | ssh -J jump.domain.com 10.X.X.X -o IdentitiesOnly=yes 'umask 0077; mkdir -p .ssh; cat >> ".ssh/authorized_keys && echo "Key copied"'

JaredBusch

@black3dynamite said in Copy SSH public key to ssem behind a jump box:

@JaredBusch said in Copy SSH public key to ssem behind a jump box:

I can SSH in once with password and manually create the authorized_keys files (and the .ssh folder for that matter), but then I need to worry about permissions, etc.

Will something like this work?

cat ~/.ssh/id_key.pub | ssh -J jump.domain.com 10.X.X.X -o IdentitiesOnly=yes 'umask 0077; mkdir -p .ssh; cat >> ".ssh/authorized_keys && echo "Key copied"'

Does that give it the right selinux type also? I’m not at a computer now to test.

black3dynamite

@JaredBusch said in Copy SSH public key to ssem behind a jump box:

@black3dynamite said in Copy SSH public key to ssem behind a jump box:

@JaredBusch said in Copy SSH public key to ssem behind a jump box:

I can SSH in once with password and manually create the authorized_keys files (and the .ssh folder for that matter), but then I need to worry about permissions, etc.

Will something like this work?

cat ~/.ssh/id_key.pub | ssh -J jump.domain.com 10.X.X.X -o IdentitiesOnly=yes 'umask 0077; mkdir -p .ssh; cat >> ".ssh/authorized_keys && echo "Key copied"'

Does that give it the right selinux type also? I’m not at a computer now to test.

The correct selinux type should be unconfined_u:object_r:ssh_home_t:s0

black3dynamite

Ok, I think I got it working now.

# From your host to your JUMPBOX
# Not needed if your public key is already in placed
cat ~/.ssh/id_ed25519.pub | ssh jump.domain.com 'umask 0077; mkdir -p .ssh; cat >> .ssh/authorized_keys'

# From your host to the host behind your JUMPBOX
cat ~/.ssh/id_ed25519.pub | ssh -J jump.domain.com 10.X.X.X 'umask 0077; mkdir -p .ssh; cat >> .ssh/authorized_keys'

# Connect to your host behind your JUMPBOX
ssh -J jump.domain.com 10.X.X.X

JaredBusch

@black3dynamite said in Copy SSH public key to ssem behind a jump box:

# From your host to your JUMPBOX
# Not needed if your public key is already in placed
cat ~/.ssh/id_ed25519.pub | ssh jump.domain.com 'umask 0077; mkdir -p .ssh; cat >> .ssh/authorized_keys'

ssh-copy-id should do this