SSH jump host

From Gentoo Wiki
Jump to: navigation, search

An alternative to SSH tunneling to access internal machines through gateway is using jump hosts.

The idea is to use ProxyCommand to automatically execute ssh command on remote host to jump to the next host and forward all traffic through.

Prerequisites

  • SSH access to the gateway machine and the internal one.
  • Gateway machine has Netcat installed.

Dynamic jumphost list

Just concatenate your jumphost(s) and your destination host via the + sign. You don't have to setup a static configuration in your config.

Setup

FILE ~/.ssh/configAdd this text
Host *+*
  ProxyCommand ssh $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') exec nc -w1 $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /')

Usage

user $ssh host1+host2

If usernames on machines differ, specify them:

user $ssh user1%host1+host2 -l user2
Note
The login name for the last hop has to be given using -l flag.

You can give also port numbers if needed:

user $ssh host1:port1+host2

It works with scp command, too:

user $scp filename host1+host2:~/
Note
The colon and path at the end is needed so that scp recognizes it as remote.

Multiple jumps

The same syntax can be used to make jumps over multiple machines:

user $ssh host1+host2+host3
Note
All but the last jump host need the ProxyCommand set in their SSH configuration.

Static jumphost list

Static jumphost list means, that you know the jumphost or jumphosts you need, to reach a host. Therefore you can create a static jumphost 'routing' in ~/.ssh/config file. The advantage in comparison to the dynamic jumphost option is, that you don't have to provide the .ssh config on jumphosts between your machine and all the other jumphosts between you and the final host you want to jump to.

Setup

FILE ~/.ssh/configAdd this text
### First jumphost. Directly reachable
Host alphajump
  HostName jumphost1.example.org

### Host to jump to via jumphost1.example.org
Host behindalpha
  HostName behindalpha.example.org
  ProxyCommand  ssh alphajump netcat -w 120 %h %p

In more recent versions of OpenSSH, i.e. OpenSSH_7.3p1 plus, the command 'ProxyCommand' can be replaced with 'ProxyJump' making the above block slightly simpler if desired:

FILE ~/.ssh/configProxyJump Example
### First jumphost. Directly reachable
Host betajump
  HostName jumphost1.example.org

### Host to jump to via jumphost1.example.org
Host behindbeta
  HostName behindbeta.example.org
  ProxyJump  betajump

Between ProxyCommand and ProxyJump, whichever is first in your SSH config file, will be honored.

Usage

user $ssh behindalpha

If usernames on machines differ, specify them by modifing the correspondent ProxyCommand line:

FILE ~/.ssh/configModify correspondent ProxyCommand
ProxyCommand  ssh -l otheruser behindalpha netcat -w 120 %h %p

It works with scp command, too:

user $scp filename behindalphabeta:~/
Note
The colon and path at the end is needed so that scp recognizes it as remote.

Multiple jumps

The same syntax can be used to make jumps over multiple machines:

FILE ~/.ssh/configAdd this text
### First jumphost. Directly reachable
Host alphajump
  HostName jumphost1.example.org

### Second jumphost. Only reachable via jumphost1.example.org
Host betajump
  HostName jumphost2.example.org
  ProxyCommand  ssh alphajump netcat -w 120 %h %p 

### Host only reachable via alphajump and betajump
Host behindalphabeta
  HostName behindalphabeta.example.org
  ProxyCommand  ssh betajump netcat -w 120 %h %p
user $ssh behindalphabeta

Tips

To ease the connecting even further:

External resources