How to ssh to another host via jump hosts

Back>

It is possible to ssh to another host via one or more jumping hosts in the middle, so that the client can act as if the connection were direct.
The main method is to use an ssh connection to forward the ssh protocol through one or more jump hosts using the ProxyJump, to an ssh server running on the target destination host. This method requires the jumpservers enable port forwarding.

ssh -J jumpserver:22 targetserver

In openssh version 7.2 and earlier, passing through jump hosts need the ProxyCommand option to be used either as a run time parameter or as part of ~/.ssh/config.

For example, in order to jump through host jumpserver to host targetserver, we need the following ssh command:

ssh -o ProxyCommand="ssh -W %h:%p jumpserver" targetserver

In this command, the authentication will happen twice, first on the jumpserver, then on the targetserver. So you need to have user/password for both jumpserver and targetserver.

Alternatively, we can put the ProxyCommand as part of ~/.ssh/config

Here is an example ~/.ssh/config

#=================
#~/.ssh/config
#=================
ServerAliveInterval 120

#don't apply any command to ssh localhost
Host localhost
    HostName localhost
    ProxyCommand none

#don't apply any command when ssh to any hostname start with jumpserver
Host jumpserver*
    HostName jumpserver
    ProxyCommand none

#apply proxy jump and ssh connection reuse when ssh to any other hosts
Host *
    ControlMaster auto
    #will create files such as ~/.ssh/master-youruid@targetserver:22 on client host
    ControlPath ~/.ssh/master-%r@%h:%p
    ControlPersist 20m
    ProxyCommand ssh -qA -W %h:%p jumpserver

With the above ~/.ssh/config file, you should be able to ssh into many target server by jumping through jumpserver.

You can forget about the jumpserver and type the normal command:
ssh targetserver

Then you need to enter credential for the jumpserve and targetserver once, then the jumpserver essentially becomes "invisible" in the later ssh connections.

As an extra bonus, the Control* configurations in the ~/.ssh/config prevent you to reentering the credentials again and again after the first time. After your first authenticate with the jumpserver and target host (maybe with 2 factor authentication process), you don't need to re-enter the credentials for reconnecting to the same target servers, unless you closed the ssh connection and didn't reconnect within 20 minutes.

The established connection is persisted in the files specified by the ControlPath for 20 minutes. For the target server, once you opened one ssh network connection, opening more ssh communication sessions with the same server has little resource overhead, you don't need any credential for these extra ssh sessions. The reason is, these new sessions didn't open new ssh connection to the jumpserver nor targetserver, they just have to reuse the existing tcp connection to send extra signals to the network socket using multiplexing. It reduces the load on the jumpserver and target server, also has faster response time.

No comments:

Post a Comment