Equivalent PuTTY configuration of OpenSSH ProxyCommand ( Two different .pem/ppk files )

Question

( Related Question: PuTTY configuration equivalent to OpenSSH ProxyCommand but it is for a single ppk/pem file... my problem is slightly different.)

I am trying to use PuTTY to get an SSH connection to my servers. These servers allow incoming SSH connection only from bastion server(another specific server) only.

Using Linux this is no problem with the ssh command...I have achieved that in Linux like this... (~/.ssh/config)

HOST myprod-bastion
  IdentityFile ~/.ssh/pemfile/myprod-bastion.pem
  User bastion-user
  Hostname X.X.X.X

HOST mywebserver
  IdentityFile ~/.ssh/pemfile/myweserver.pem
  User produser
  Hostname 192.168.Y.Y
  ProxyCommand ssh myprod-bastion -W %h:%p

From my terminal, I just need to execute following command:

ssh mywebserver

Anyone knows how to use such a config in PuTTY? Appreciate your help in advance. :)

Answer 1

I had exactly the same problem, which you describe and solved it the following way (based on (Martin Prikryll's answer in the thread you also referenced). (See the PuTTY User Manual for details about PuTTYgen, Pageant or plink, which are reqired for this solution. All tools come along with PuTTY.)

1. Convert both keys with PuTTYgen to the PuTTY .ppk file format You do this by loading your .pem file into PuTTYgen and save the private key.

2. Start Pageant and add the private .ppk key of bastion-user@myprod-bastion.

3. Configure the session parameters in the PuTTY GUI.
   In the tabs

   • Session: enter HostName 192.168.Y.Y and (optionally) Port
   • Connection > Data: enter the login name produser
   • Connection > SSH > Auth: import your produser@mywebserver's private key (.ppk) file
     (You can instead import this key into Pageant as well, if you prefer.)
   • Connection > Proxy: configure the (sort of) JumpProxy (myprod-bastion), as described below
   • Don't forget to save your configuration as mywebserver

Configure JumpProxy (myprod-bastion)

as shown in the screen shot:

In your case, you can leave the fields "Proxy Hostname", "Port" and "Username" blank, and you don't need a password, since you provide a private key. The full command in "local proxy command" field is:
plink -ssh bastion-user@X.X.X.X -P YYY -batch -agent -nc %host:%port
Parameters explained:

• "-ssh" determins the protocol (I assume this is optional)
• "bastion-user@X.X.X.X -P YYY" your connection data (the port not necessary in your case)
  (You could also use the PuTTY variables %proxyhost and %proxyport here, if you filled the respective fields above, but I do not know the variable name for the proxy user.)
• "-batch" prohibits any user prompt or input
• "-agent" retrieves the private key from Pageant, which you start before establishig the connection to mywebserver. ("-i keyfile.ppk" should also work, but I didn't want to mess with the path ...)
• "-nc %host:%port" similar to ssh's "-W host:port"
  The variables reference the respective values of mywebserver from the Session tab.

You can start your session from command line very similar to *nix with

plink mywebserver

Answer 2

I'm not sure if you still need this answered. But since I came across this asking the same question, I'll share my solution.

This site gave me the basis for the approach: (warning link may be broken) https://www.math.ucla.edu/computing/kb/creating-ssh-proxy-tunnel-putty

I had to create two connections with PuTTY; One for the Bastion, and one for the other box (mywebserver).

Create your connection to the Bastion host, specifying the hostname, port, and other necessary information depending on your setup.

Then under Connection > SSH > Tunnels, add a forwarded port. Set the source port (for ex: 31415), and write that value down. Set the type to Dynamic and leave Auto selected.

PuTTY Setup for Forwarded Port

Be sure to save this as a configuration.

Next enter the credentials to setup the connection to the other box (mywebserver). The additional step you need to take here is to connect it to the first configuration by way of proxy.

Under Connection > Proxy, select a proxy type of SOCKS 5, set the proxy hostname to be localhost and set the port to be the same as created in the previous step (in this example: 31415). The rest of the settings can be left the same.

PuTTY Proxy Setup

Now, all you need is to start the first connection to the Bastion host and then start the connection to the other box (mywebserver).