To make an automatic connection to a remote server using certificates with a non-empty passphrase, you have to invoke on your local machine:
ssh-keygen -t rsa
This will produce an ~/.ssh/id_rsa.pub file. If you populate by catting (man cat) the content of this file on a remote machine either in the /root/.ssh/authorized_keys or in the ~/.ssh/authorized_keys file you will get access on this machine by invoking:
ssh user@remoteMachine
and when SSH asks:
Enter passphrase for key '~/.ssh/id_rsa':
fill it with the passphrase chosen during the certificate generation.
To overcome the manual filling of the passphrase, you can use the connect.sh script below which works together with expect (man expect).
To call the script in a simple manner, you can add either in your ~/.bashrc or in your ~/.alias file the alias:
alias remoteMachine="~/connect.sh -t remoteMachine"
so when you invoke “remoteMachine” in a terminal, it will automatically log you into the remote machine.
As said before, the main script uses a complementary file wich uses “expect” (Exploring Expect: A Tcl-Based Toolkit for Automating Interactive Programs” by Don Libes, pp. 602, ISBN 1-56592-090-2, O'Reilly and Associates, 1995) to fill in the passphrase.
#! /usr/bin/expect # Add my rsa passphrase to ssh-agent spawn ssh-add expect "id_rsa:" send "Here is your passphrase\n" expect eof exit
Below is the connect.sh file which make an automatic connection to a remote server.
#! /bin/bash # # To you use this script, you need to use ssh certificate # 1) ssh-keygen -t rsa // this will produce a ~/.ssh/id_rsa.pub file # 2) cat this ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys of your targeted machine # 3) use this script as connect.sh -t myTargetedMachine [ -u aUserName -r anExpectFile] # # The expectFile contains the passphrase that you entered in the point 1) above. target="" username=$USERNAME expectBin="/usr/bin/expect" expectFile=".add-rsa" function usage(){ echo "Usage:" echo "$0 -t targetHostname [-u username -r expectFile]" exit; } while getopts ":r:t:u:" optname do case "$optname" in "t") target=$OPTARG ;; "u") username=$OPTARG ;; "r") expectFile=$OPTARG ;; "?") echo "Unknown option $OPTARG" usage ;; ":") echo "No argument value for option $OPTARG" usage ;; *) # Should not occur echo "Unknown error while processing options" ;; esac done if [[ $target == "" ]]; then usage fi echo "Connecting to $target as $username..." # Run the ssh-agent eval `ssh-agent` > /dev/null #echo "$SSH_AGENT_PID" if [[ ! -x $expectBin ]]; then echo "$expectBin either does not exist or is not executable!" exit fi if [[ -x $expectFile ]]; then # Use Expect to feed the passphrase to ssh-add ./$expectFile > /dev/null #connect to $target ssh $username@$target else echo "$expectFile either does not exist or is not executable!" fi # suppress the ssh-agent process kill -9 $SSH_AGENT_PID # Remaining ssh-agent echo "List of the remaining ssh-agent:" ps -u $username | grep "ssh-agent" | awk '{print $1}' #To kill all ssh-agent use this: #kill -9 `ps -u $USERNAME | grep "ssh-agent" | awk '{print $1}'` echo "End of $target connection... good bye!" exit 0
You can invoke this script by doing:
./connect.sh -t targetMachine
In my point of view, it is better to connect to the remote server as a regular user instead of root for security purpose. If you need root access, configure the /etc/sudoers file by invoking visudo (man visudo) so you can selectively grant access to users.
SQL Server(localhost:3306) ——FW—-GATEWAY(localhost:1212)—FW—-SQL Client(localhost:2424)
On the GATEWAY machine:
ssh -nNf -L 1212:localhost:3306 SQL_Server ssh -nNf -R 2424:localhost:1212 SQL_Client
Check if the port 2424 is opened on SQL Client machine
# lsof -i :2424 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 5161 me 8u IPv6 27808583 0t0 TCP localhost:2424 (LISTEN) sshd 5161 me 9u IPv4 27808584 0t0 TCP localhost:2424 (LISTEN)
And then, you can access your DB with
mysql -u username -p pw --protocol=TCP --port=1212