Imagine you have to go through an intermediate machine
(let's call it $gateway — sometimes the term "jump host", "firewall host" or "intermediate host" is also used) to reach a $server.
Your workflow would be:
ssh $gateway (supply password manually) ssh $server (supply password manually)
If you are able to configure SSH public key authentication on the hop to the $gateway but not on the second hop to the $server, the best you would be able to do is:
ssh $gateway (no password necessary) ssh $server (supply password manually)… or at most (with a single incantation):
ssh -t $gateway ssh $server
… where, however you'd still be prompted to manually
enter a password.
Further assume that you are unable to install sshpass or some
other software on the $gateway machine.
Fortunately there is an incantation that will allow you to solve the connundrum
that only requires sshpass to be install on your client machine
(i.e. from where you make the first hop to $server).
sshpass -p $password ssh -oProxyCommand="ssh -W %h:%p $gateway" $server
In the above incantation:
NB: the incantation assumes that your username is the same in the client machine, $gateway and $server. Should this be not the case, then use username@$gateway as appropriate.
NB2: for the very first time, it is important to first do a:
ssh -oProxyCommand="ssh -W %h:%p $gateway" $server… this will allow you to answer to a prompt issued by SSH on the first first time, otherwise if you try the full incantation (with the