Was anyone able to do something similar to this ?

Host                = *
ControlMaster       = auto
ControlPath         = /home/javafan/.ssh/ssh_%h_%p_%r

Host                = gateway1
HostName            = gateway1.example.com
User                = javafan
ForwardAgent        = yes
ServerAliveInterval = 60

Host                = gateway2
Hostname            = gateway2.example.com
User                = javafan
ForwardAgent        = yes
ProxyCommand        = ssh gateway1 nc %h %p

Host                = *.example.com
ForwardAgent        = yes
User                = javafan
ProxyCommand        = ssh gateway2 nc %h %p
[download]

The only way I see it to connect to the first host, then run ssh command in the remote shell. Unfortunately doing it this way will stop ssh-agent auth working and I will have to resort to passwords. thanks a lot for your helpful tips

But this is way outside the realm of Perl.

my $ssh = Net::OpenSSH($host,
                       master_opts => [-o => 'ProxyCommand=ssh foo nc 
+%h %p']);
[download]

Also, there is Net::OpenSSH::Gateway, that will find a way to open a SSH connection to a remote server through any combination of proxies and gateways (well, mostly).

I have not published it on CPAN yet because, even it is already functional, I have found some problems with its internal architecture that I want to solve first.

You can use it as follows:

my $ssh = Net::OpenSSH->new($host,
                            gateway => { proxies => ['ssh://intermedia
+te_host',
                                                     'ssh://another_ho
+st',
                                                     'http://proxy:808
+0'] } );
[download]

Thanks for pointing me at ProxyCommand. This is pretty close to JavaFan's suggestion, only wrapped into perl code vs ssh config.

One thing I've been wondering about is why one can't pass -L port:host:port to the master ssh. I've tried it with Net::OpenSSH and -L was not passed to the master ssh. Besides a small security concern with that open forwarded port I feel it would be cleaner than proxying via ssh and having to install netcat.

If you have tunnels enabled on the gateway, you can use Net::OpenSSH tunnel methods to create a connection to some remote machine accesible from the gateway without the need to create a local listener.

For instance:

my $ssh_g = Net::OpenSSH->new($gateway);
my $proxy_command = $ssh_g->make_remote_command({tunnel => 1}, $host, 
+22);
my $ssh = Net::OpenSSH->new($host, master_opts => [-o => "ProxyCommand
+=$proxy_command"]);
[download]

From the top of your head - do you know why would Net::OpenSSH->new() hang forever after getting "Permission denied, please try again." ?

Also I found that some characters in the passwords have to be escaped. Like @ and !. Otherwise it does not even get that "Permission denied, please try again." error. I'm not sure if I did escape ! the right way. May be that contributes to that hanging problem I am having.

I've tried $Net::OpenSSH::debug and all I see is :

Permission denied, please try again.
# file object not yet found at ....
[download]

Last line repeats indefinitely

The problem I'm stuck with is : first I'm trying public key auth which fails because there is no key yet. Then I try ssh with password and get "Permission denied". But new call never returns...

Also I found that some characters in the passwords have to be escaped

You shouldn't need to quote the password. Actually the "Permission denied, please try again" error indicates a bad password. In any case, could you post your code? otherwise is difficult to guess what can be failing.

Also, run your script with $Net::OpenSSH::debug = -1 and post here the full output.

What versions of the Net::OpenSSH, perl, OpenSSH and operating system are you using?

Unfortunately part what this perl script is supposed to do is to install public keys on the destination hosts. So I have to be able use passwords for the hosts that don't have ssh key yet.