A Couple Years Ago I Learned: SSH Config ProxyCommand vs IdentityFile
I was cleaning out my computer of cruft from my previous employer (I was gifted this work PC when the company disappeared at the end of its bankruptcy proceedings) and came across this SSH config stanza that I actually had to do some testing to set up:
Our servers rejected SSH access from all but a handful of jumphosts - which were not jumphosts as jumphosts and bastions are usually understood by most people, but full-fledged servers with shell environments on which most of our operations/support troubleshooting activities happened - and while all the jumphosts and most of the servers beyond them would get Salted with the SSH public keys we registered in a central location (to be rotated annually), one command and control server was so critical to the operation of our services that we very rarely upgraded it - for fear of it dying in the upgrade process and paralyzing our entire business - which resulted in it 1) not getting our SSH public keys via Salt, and 2) running an SSH version so old it did not know how to handle ED25519 keys.
All this to describe why I ended up with two separate SSH private keys - one for the command and control server, and one for the jumphost thru which I would connect to that C&C.
Tunnelling through the jumphost to connect to the C&C server was straightforward:
Host command # Command & Control server HostName command.tld.com ProxyCommand ssh -q jumphost nc %h %p Host jumphost HostName jumphost.tld.com IdentityFile ~/.ssh/myprivatekey [...]
But a problem then arose: does an `IdentityFile` in the `Host command` stanza make SSH use that private key to negotiate with 1) the C&C server, or 2) the jumphost in the ProxyCommand?
So I tested, and it turns out SSH uses 1) myprivatekey to negotiate with the jumphost (in the ProxyCommand), and then 2) commandkey to negotiate with the Command & Control server.
Host command # Command & Control server HostName command.tld.com ProxyCommand ssh -q jumphost nc %h %p IdentityFile ~/.ssh/commandkey Host jumphost HostName jumphost.tld.com IdentityFile ~/.ssh/myprivatekey [...]
