I'm trying to configure SSH to log into multiple hosts behind a CyberArk PSM SSH proxy.
I'm using OpenSSH v. 9.4.
I can connect directly like this:
ssh -i <key> <user>@<cybearkuser>%<domain>@<remotehost>@<proxyaddress>
The only variable here is remotehost
, so I want to configure SSH to automatically replace it in the long connection string, when I just type ssh remotehost
.
I first made my SSH config like so:
Host abc-*remotehost
Hostname user@user%%domain.com@%[email protected]
IdentityFile ~/.ssh/key
Note that %h
expands to the host, and %%
is just a regular %
.
But now, when I just do ssh abc-123.remotehost
, it seems SSH interprets the whole line as a host (understandably), and complains it cannot resolve it.
It correctly substituted the hostname into the long string, though.
I assume everything before the final @
is supposed to be the SSH username, so I thought I could just do this:
Host abc-*remotehost
Hostname proxy.domain.com
User user@user%%domain.com@%h
IdentityFile ~/.ssh/key
But that doesn't work, as these substitution tokens only work on specific keywords, and not User
(man page).
Note that if I just put the whole <user>@<cybearkuser>%<domain>@<remotehost>
part in statically as User
, it works fine, but I really want to substitute it to avoid repeating this for 30+ hosts.
Is there some other trick I can try?