How do I SSH to machine through a middle host using Paramiko?

Question

Essentially, I need to access a computer, say machine A, which is only accessible via the internal network of my company. I used to be able to set up tcprelay port forwarding to accomplish this but that pipeline has been disabled due to some potential security flaws.

Let’s say my company general network is at company@10.0.0.1 and the specific machine i want to work with is at machine@10.0.0.3

Both accounts have password ‘password’

Via terminal and shell commands, I can just hop there using one single command: https://askubuntu.com/a/311457

or, in steps, it would be:

[on my account] ssh company@10.0.0.1
[on my account] enter password
[on company network] ssh machine @10.0.0.3
[on company network] enter password again

And I’d be logged into the machine I need to communicate with.

However, after hacking away all afternoon I could not get this working with Paramiko. I tried setting up the connection then issuing a client.exec_command() but just cannot get a handle for the specific machine. The rest of my scripts relies on having a paramiko client that can receive commands and return responses, so it would be a very heavy overhead for me to go propagate all changes were I to switch to say fabric or subprocess.

The closest I got to was:

ssh.connect(’10.0.0.1', username=‘company', password=‘password’)
chan = ssh.get_transport().open_session()
chan.get_pty()
chan.exec_command(‘ssh machine@10.0.0.3’)
print chan.recv(1024)

which returned the ‘enter password’ prompt, but running chan.send(‘password’) just ends with a hang.

I’m pulling my hair out at this point and am just reading through the documentation hoping to find what concept I’m missing.

If anyone can give some advice I’d really appreciate it.

Thanks!

Answer 1

Alternative way is to avoid entering password when login to another machine. This can be done by using ssh-keygen.

1. Login to first machine (A) with user 'first': $ ssh-keygen -t rsa --> Don't enter any passphrase when requested --> Note down the line "Your public key has been saved in /home/first/.ssh/" --> This file is the public key of machine 'A'

2. Now login to second machine(B) using ssh. Then check for ~/.ssh folder. If no folder, create one. Create a file with name 'authorized_keys' under ~/.ssh/authorized_keys

3. Copy the content of file from 'first' user to the file 'authorized_keys'. is a file with 'id_rsa.pub' from 'first' user login (under /home/first/.ssh/id_rsa.pub)

4. Now you can login to second machine from first without entering password thru your script.

Answer 2

I worked on a project where it had to log in using username/password over SSH then do the same thing again to another host. I had no control over networks ACLs and SSH keys were not allowed for some reason. You'll need to add paramiko_expect. Here's how I got it to work:

import paramiko
from paramiko_expect import SSHClientInteraction

user1 = 'admin'
pass1 = 'admin'
user2 = 'root'
pass2 = 'root'

# not needed for this example, but included for reference
user_prompt = '.*\$ '   

# will match root user prompt
root_prompt = '.*$ '

# will match Password: or password:
pass_prompt = '.*assword: '

# SSH to host1
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(
    paramiko.AutoAddPolicy())
ssh_client.connect(hostname='host1', username=user1, password=pass1)

# Interact with SSH client
with SSHClientInteraction(ssh_client, display=True) as interact:
    # Send the command to SSH as root to the final host
    interact.send('ssh {}@host2'.format(user2)
    # Expect the password prompt
    interact.expect(pass_prompt)
    # Send the root password
    interact.send(pass2)
    # Expect the root prompt
    interact.expect(root_prompt)

ssh_client.close()

One caveat: if host1 has never connected to host2 using SSH it'll get a warning about host key checking and timeout. You can change the configuration on host1 or just SSH to host1 then from host1 SSH to host2 and type yes and press enter.