I'm looking to SSH to a jump box and then initiate an SSH from within a VRF on that box, but use an ssh_config file to do so.
remoteclient => jumphost => device1 within VRF connected to jumphost
Essentially an ssh_config variant of this:
ssh -t jumphost 'sudo ip vrf exec vrf-1 ssh user@device1'
On the jump box I can happily ssh within the VRF as so:
jumphost ~]$ sudo ip vrf exec vrf-1 ssh user@device1
(user@device1) Password:
And from a shell I can achieve this remotely using ssh's pseudo-terminal allocation (-t):
remoteclient ~]$ ssh -t jumphost 'sudo ip vrf exec vrf-1 ssh user@device1'
(user@device1) Password:
But for NAPALM (python) to connect to these devices through the jump box, I'll need to convert this to an ssh_config file. Using ProxyJump the connection is never initiated within the VRF on the jump box but with ProxyCommand I can see with netstat (and monitoring connections on device1) that it is, but I never receive the login prompt to pass the password (yes unfortunately it's not yet using keys) and thus I can't connect.
The following ssh_config file allows me to reach the device within the VRF, but regardless of RequestTTY being set to force or -t being adjusted to -tt or -T, I still don't receive a login prompt:
Host jumphost
Hostname x.x.x.x
User jumpuser
Host * !jumphost
ProxyCommand ssh -F ~/.ssh/tempssh.config -t jumphost 'sudo ip vrf exec vrf-1 ssh ' %h
SSH debug just shows either one or two messages (depending on -t, -tt or -T being set) stating the terminal will not be allocated and then the connection is closed:
Pseudo-terminal will not be allocated because stdin is not a terminal.
Pseudo-terminal will not be allocated because stdin is not a terminal.
Connection closed by device1 port 22
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
I have tried using the standard syntax of ProxyCommand -F ~/.ssh/tempssh.config -W %h:%p jumphost and then specifying a RemoteCommand under the jumphost's config to initiate the connection in the VRF, but from what I can see RemoteCommand does not run prior to the ssh connection being proxied and therefore I end up with the jumphost attempting to reach device1 outside of the given VRF.
I can't see anything similar for this on NAPALM or Netmiko's GitHub nor can I see anything on stackoverflow or stackexchange etc. Can anyone help?
We could do that with ssh -q to suppress the output messages and nc to pipe the connection through the VRF.
Update your ssh_config file like this:
Host jumphost
Hostname x.x.x.x
User jumpuser
Host * !jumphost
ProxyCommand ssh -q -F ~/.ssh/tempssh.config jumphost 'sudo ip vrf exec vrf-1 nc %h %p'