SSH through a jumphost (bastion/gateway)
I really like ssh.
It’s a wonderful little tool that everyone uses all the time and you don’t even need to think about it, until you do. And then you’re in trouble, and then the google hunt begins.
In this post I will talk about using ssh SMARTLY, and not doing manual work. I mean, isn’t that what linux is FOR? Onwards, to the actual point.
I will assume you know how passwordless ssh works. Let’s also assume that you, like me, often work on remote servers, using a laptop (or desktop. Let’s not be discriminatory.) to connect to all your various servers.
If you are a windows user, you probably use a tool like mRemoteNG, or my favorite, MobaXterm. These tools allow you to save sessions, configure all sorts of connection parameters, and organize everything in one place. If you need to connect through a proxy/bastion/jumphost/gateway, no problem, just add it in the GUI. But what happens when you are using a linux desktop (Naturally, I really think you should) or a Mac? Or what if you don’t have any of those tools because you are in a private intranet? Or even if you just want to learn how to do things yourself? I am going to show you a few different ways you can configure your ssh connection to use jump hosts.
In all of these examples I am assuming that you CAN connect to your remote server like this, but don’t like the extra step of connecting to the middleman each time:
kobi@laptop-$: ssh proxyman@proxy
proxyman@proxy-$: ssh someuser@server
someuser@server-$: whoami
someuserIf that doesn’t work, make sure it does first.
1. This is a one time thing, or you don’t feel like doing any actual configuation, you just want to connect quickly.
Just type:
ssh -t proxyman@proxy ssh someuser@server2. You don’t have the nc tool on your proxy
Edit the ~/.ssh/config file on your laptop. This, in case you weren’t aware, is linux’s built in ssh “session manager”.
Add the following lines:
Host proxy-nickname
User proxyman
Hostname proxydnsname.somedomain.com
# You can use ip addresses instead of DNS namesHost server-nickname
User someuser
Hostname server.somedomain.com
Port 22
ProxyJump proxy-nickname
Now to connect, simply typessh server-nickname . This method is useful for nicknaming remote connections in general. Poor man’s DNS!
3. You are using an older version of ssh (which does not support proxyjump), but you do have nc on your proxy
This is almost the same as in the above method, but instead of ProxyJump, we use the older and slighly more complex ProxyCommand directive togther with the nc tool. Edit the ~/.ssh/config file as shown above, but change the server block to the following:
Host server-nickname
User someuser
Hostname server.somedomain.com
ProxyCommand ssh -o 'ForwardAgent yes' proxy-nickname 'ssh-add && nc %h %p'For this to work, you laptop has to have ssh-agent running. Just type ssh-agent to be sure.
Again, connect with ssh server-nickname .
Things to look out for:
Especially when working with VMs in the cloud, where IP address change often, you need to be careful with the ProxyJump directive. I have noticed that after the IP address changes the directive no longer works, instead throwing a public key authentication denied error when connecting to the server, and so deleting and re adding the block again, or adding it again under a different nickname can fix the problem.
As always, thanks for reading, and if you know any other ways to do this, be sure to leave a comment!