SSH client configuration for Jump Host
SSH client configuration for Jump Host is just a simple, fast and efficient way to configure your local SSH client to remote access via SSH other external networks / hosts. In the same time we can say that this solution adds a layer of security as well if your environment is not so secure for whatever reason, we have seen this quite often but let’s not talk about this yet. In this short tutorial we will try explain in a very simple way how you may configure your local SSH client configuration file in order to connect straight to one of your remote servers / networks using one or multiple jump hosts (hops) as proxy servers. Please note that this step by step guide is for MacOS and Linux users that are using any of these Operating Systems on their workstations on a daily basis. We don’t recommend to build and use a jump host if it has already access to remote networks via VPN, it’s more than pointless to build a proxy bridge over an existing VPN. This solution has been tested using a MacOS machine, three cloud hosting providers like Google Cloud Platform, Amazon AWS and Microsoft Azure and even using on-premises networks backed up by a VMWare environment.
Table of Contents
Scenario
Security consideration
Remote jump host configuration
SSH client configuration
Testing connectivity
Scenario
Assuming that we have multiple hosts to access via SSH spread across three could hosting providers like GCP, AWS, Azure and even VMWare on premises a solution to access all these hosts is to have a jump host (aka jump box or bastion servers). By having a jump host on each of these environments we can easily proxy our SSH session to that specific jump host and afterwards to the server that we need to get to. The main benefit of this solution is to avoid to SSH first into the jump host and after that to our end server by simply passing the request straight from our SSH client. So lets assume that our hosts were properly named like in the example below:
Hostname | IP Address | Cloud | Role |
---|---|---|---|
gcp-jumphost | 10.11.12.13 | GCP | Jump Host |
gcp-web-server-01 | 10.1.0.1 | GCP | Web Server |
gcp-db-server-01 | 10.2.0.1 | GCP | Database Server |
aws-jumphost | 20.21.22.23 | AWS | Jump Host |
aws-web-server-01 | 20.1.0.1 | AWS | Web Server |
aws-db-server-01 | 20.2.0.1 | AWS | Database Server |
azr-jumphost | 30.31.32.33 | Azure | Jump Host |
azr-web-server-01 | 30.1.0.2 | Azure | Web Server |
azr-db-server-01 | 30.2.0.1 | Azure | Database Server |
vmw-jumphost | 40.41.42.43 | VMWare | Jump Host |
vmw-web-server-01 | 40.1.0.1 | VMWare | Web Server |
vmw-db-server-01 | 40.2.0.1 | VMWare | Database Server |
Security consideration
As we have highlighted on the introduction of our tutorial this solution adds a layer of security to your existing stacks if none is in place, shortly if you’re connecting via SSH directly to each end-point (host) by calling its public IP this solution will help you to avoid this really bad habit from a security prospective and also it may save you some money that you’re already spending for each public IP address assigned for your hosts.
We must say that the best solution in terms of security and flexibility still remains the VPN one, if you are using multiple Cloud Providers please don’t delay and make security your first priority by deploying a proper VPN solution across all these, don’t rely on our tutorial maybe more than a simple exercise for your personal knowledge or let’s say as a temporary solution until a VPN solution will be put in place.
Remote Jump Host configuration
On our very first step we have to make sure that all Jump Hosts are correctly set up, public IPs assigned, firewall is configured and enabled. Also we would recommend to lock down these Jump Hosts to accept inbound connections only from your own external IPs like for example 10.123.231.100/32 to deny all incoming requests except those for port 22 if that’s your default SSH port, these can be configured easily via ACLs on each Cloud Provider.
On the same page we have to make sure that our user is properly configure on each Jump Host, has a public SSH key assigned and also complete visibility and access across all servers that we want to connect to. This being said about Jump Hosts let’s move to our next step where we need to configure our SSH client.
SSH client configuration
Here we have to open our local SSH client configuration or to create it if that doesn’t exist, so lets run the next command on our terminal window:
$ vi ~/.ssh/config
Now by adding the next lines to our config
file we will instruct our local SSH client that all connections initiated should have a 10 seconds value for ServerAliveInterval
and also that we want to enable compressions for these connection, a good thing though:
# General configuration
Host *
ServerAliveInterval 10
Compression yes
Below lines are purely for Jump Hosts, we are instructing our SSH client to use these specific IP addresses, ports, users and SSH keys when these are invoked within a ssh command. As you can see we have the flexibility to configure each of these Jump Hosts individually by having different users, keys and even ports, it’s up to you and your specific scenario.
# Jump Hosts configuration
Host gcp-jumphost
HostName 10.11.12.13
Port 22
User mysshuser
IdentityFile ~/.ssh/id_rsa
Host aws-jumphost
HostName 20.21.22.23
Port 22
User mysshuser
IdentityFile ~/.ssh/id_rsa
Host azr-jumphost
HostName 30.31.32.33
Port 22
User mysshuser
IdentityFile ~/.ssh/id_rsa
Host vmw-jumphost
HostName 40.41.42.43
Port 22
User mysshuser
IdentityFile ~/.ssh/id_rsa
Moving forward with our tutorial we will configure the end-points (servers / hosts) at this stage where their names plays a very important role within our solution. As you may notice on first configuration example we will forward all initiated SSH connections that begins with gcp
or GCP
straight to gcp-jumphost
and this will automatically forward our request to the requested end-point, basically gcp-jumphost
previously configured will act as a proxy server.
# End-Points configuration
Host gcp-* GCP-*
HostName %h
Port 22
User mysshuser
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -qW %h:%p gcp-jumphost
Host aws-* AWS-*
HostName %h
Port 22
User mysshuser
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -qW %h:%p aws-jumphost
Host azr-* AZR-*
HostName %h
Port 22
User mysshuser
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -qW %h:%p azr-jumphost
Testing connectivity
And now finally on the last step let’s test our solution by initiating a new SSH connection to one of our external servers like in the example below, simply open a new terminal window if you don’t have one already open and run the next command:
$ ssh aws-web-server-01
If everything has been configured correctly as per our then we should be able to SSH straight to our server without SSH-ing to our Jump Host anymore, we’re all set now and this is the part where our short tutorial about SSH client configuration for Jump Host ends.