[GTALUG] for multi-hop ssh/scp: option "ProxyJump"
Scott Sullivan
scott at revident.net
Sat Aug 29 18:31:56 EDT 2020
I've had to do the kinda of multiple proxy jumps Hugh is alluding too.
It was common in a Managed Service Provider I worked for.
FYI, the ProxyJump directive was only introduces in OpenSSH version 7.3.
As we had a lot of legacy RHEL/CentOS 6 systems, which were not yet on
that version, we had to use the older pattern of ProxyCommand and NetCat
(nc).
Combining ProxyJump along with User, Port and IdentityFile directives in
your .ssh/config file, you can preform some amazing back-flips and
lateral moves through infrastructure. I think my record was 5 layers of
depth, but a don't have those config files any more.
Dropping your public keys, and 'ForwardAgent yes' in .ssh/config in ever
user/system along the proxy chain means you can have a single SSH
command take you all the way to the end of the chain without being
prompted for a password at each hop.
---
# === SITE 1 ===
# Best-practice firewall rules means jump-box is the only host reachable
via VPN, so is always our first hop.
Host jump-box
HostName jump-box.example.org
User someone
Host stargate
ProxyCommand ssh -q someone at jump-box nc stargate.example.org 22
Host stargate2
ProxyCommand ssh -q someone at jump-box nc 192.168.133.7 22
# === SITE 2 ===
Host jump.site2.other.org
ProxyCommand ssh -q someone at stargate2 nc 10.30.40.20 22
# === SITE 3 ===
Host 192.168.3.*
ProxyCommand ssh -q someone at stargate nc %h 22
# === SITE 5 ===
Host 10.90.5.*
ProxyCommand ssh -q someone at stargate nc %h 22
User differentuser
# Examples
# ssh someone at 192.168.3.12
# A double jump, host/ip wildcard says we need to connect via
'stargate', which will resolve further to 'jump-box' which is
canonically 'jump-box.example.org'
---
On 8/29/20 11:55 AM, D. Hugh Redelmeier via talk wrote:
> I'm away from home, regularly accessing my computers at home.
> Easy: ssh into a gateway machine and ssh from there into the internal
> machine of my choice. Nested ssh sessions.
> It gets a little more annoying when I want to transfer a file.
>
> The new-to-me ssh/scp option "ProxyJump" handles this conveniently.
>
> Consider the example of transferring a file "f" from machine "home"
> through machine "gw" to machine "away", all done from an xterm on
> "away".
>
> Note: because "away" is behind NAT, "gw" cannot scp to it.
> Note: -A enables ssh-agent to avoid some manual authentication
> Note: things become more complicated if f has slashes.
>
> [away] $ ssh -A gw
> [gw] $ scp -p home:f .
> [gw] $ exit
> [away] $ scp -p gw:f .
> [away] $ ssh -A gw
> [gw] $ rm f
> [gw] $ exit
>
> This can be simplified because the ssh command allows shell commands
> as arguments. That's not a habit I've developed.
>
> [away] $ ssh -A gw scp -p home:f .
> [away] $ scp -p gw:f .
> [away] $ ssh -A gw rm f
>
> The ProxyJump option makes this a lot simpler:
>
> [away] $ scp -p -o 'ProxyJump gw' home:f .
>
> I have no need for more than one intermediate hop so I haven't figured out
> how that would work.
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
>
--
Scott Sullivan
More information about the talk
mailing list