SSH client configuration for Jump Host

 
 

SSH client configuration for Jump Host is just a simple, fast and efficient way to configure your local SSH client to remote access via SSH other external networks / hosts. In the same time we can say that this solution adds a layer of security as well if your environment is not so secure for whatever reason, we have seen this quite often but let’s not talk about this yet. In this short tutorial we will try explain in a very simple way how you may configure your local SSH client configuration file in order to connect straight to one of your remote servers / networks using one or multiple jump hosts (hops) as proxy servers. Please note that this step by step guide is for MacOS and Linux users that are using any of these Operating Systems on their workstations on a daily basis. We don’t recommend to build and use a jump host if it has already access to remote networks via VPN, it’s more than pointless to build a proxy bridge over an existing VPN. This solution has been tested using a MacOS machine, three cloud hosting providers like Google Cloud Platform, Amazon AWS and Microsoft Azure and even using on-premises networks backed up by a VMWare environment.

Table of Contents

Scenario
Security consideration
Remote jump host configuration
SSH client configuration
Testing connectivity

Scenario

Assuming that we have multiple hosts to access via SSH spread across three could hosting providers like GCP, AWS, Azure and even VMWare on premises a solution to access all these hosts is to have a jump host (aka jump box or bastion servers). By having a jump host on each of these environments we can easily proxy our SSH session to that specific jump host and afterwards to the server that we need to get to. The main benefit of this solution is to avoid to SSH first into the jump host and after that to our end server by simply passing the request straight from our SSH client. So lets assume that our hosts were properly named like in the example below:

Hostname IP Address Cloud Role
gcp-jumphost 10.11.12.13 GCP Jump Host
gcp-web-server-01 10.1.0.1 GCP Web Server
gcp-db-server-01 10.2.0.1 GCP Database Server
aws-jumphost 20.21.22.23 AWS Jump Host
aws-web-server-01 20.1.0.1 AWS Web Server
aws-db-server-01 20.2.0.1 AWS Database Server
azr-jumphost 30.31.32.33 Azure Jump Host
azr-web-server-01 30.1.0.2 Azure Web Server
azr-db-server-01 30.2.0.1 Azure Database Server
vmw-jumphost 40.41.42.43 VMWare Jump Host
vmw-web-server-01 40.1.0.1 VMWare Web Server
vmw-db-server-01 40.2.0.1 VMWare Database Server

Security consideration

As we have highlighted on the introduction of our tutorial this solution adds a layer of security to your existing stacks if none is in place, shortly if you’re connecting via SSH directly to each end-point (host) by calling its public IP this solution will help you to avoid this really bad habit from a security prospective and also it may save you some money that you’re already spending for each public IP address assigned for your hosts.

We must say that the best solution in terms of security and flexibility still remains the VPN one, if you are using multiple Cloud Providers please don’t delay and make security your first priority by deploying a proper VPN solution across all these, don’t rely on our tutorial maybe more than a simple exercise for your personal knowledge or let’s say as a temporary solution until a VPN solution will be put in place.

Remote Jump Host configuration

On our very first step we have to make sure that all Jump Hosts are correctly set up, public IPs assigned, firewall is configured and enabled. Also we would recommend to lock down these Jump Hosts to accept inbound connections only from your own external IPs like for example 10.123.231.100/32 to deny all incoming requests except those for port 22 if that’s your default SSH port, these can be configured easily via ACLs on each Cloud Provider.

On the same page we have to make sure that our user is properly configure on each Jump Host, has a public SSH key assigned and also complete visibility and access across all servers that we want to connect to. This being said about Jump Hosts let’s move to our next step where we need to configure our SSH client.

SSH client configuration

Here we have to open our local SSH client configuration or to create it if that doesn’t exist, so lets run the next command on our terminal window:


$ vi ~/.ssh/config

Now by adding the next lines to our config file we will instruct our local SSH client that all connections initiated should have a 10 seconds value for ServerAliveInterval and also that we want to enable compressions for these connection, a good thing though:


# General configuration

Host *
    ServerAliveInterval 10
    Compression         yes

Below lines are purely for Jump Hosts, we are instructing our SSH client to use these specific IP addresses, ports, users and SSH keys when these are invoked within a ssh command. As you can see we have the flexibility to configure each of these Jump Hosts individually by having different users, keys and even ports, it’s up to you and your specific scenario.


# Jump Hosts configuration

Host gcp-jumphost
    HostName 		10.11.12.13
    Port 		22
    User 		mysshuser
    IdentityFile   	~/.ssh/id_rsa

Host aws-jumphost
    HostName            20.21.22.23
    Port                22
    User                mysshuser
    IdentityFile        ~/.ssh/id_rsa

Host azr-jumphost
    HostName            30.31.32.33
    Port                22
    User                mysshuser
    IdentityFile        ~/.ssh/id_rsa

Host vmw-jumphost
    HostName            40.41.42.43
    Port                22
    User                mysshuser
    IdentityFile        ~/.ssh/id_rsa

Moving forward with our tutorial we will configure the end-points (servers / hosts) at this stage where their names plays a very important role within our solution. As you may notice on first configuration example we will forward all initiated SSH connections that begins with gcp or GCP straight to gcp-jumphost and this will automatically forward our request to the requested end-point, basically gcp-jumphost previously configured will act as a proxy server.


# End-Points configuration

Host gcp-* GCP-*
    HostName 		%h
    Port 		22
    User 		mysshuser
    IdentityFile 	~/.ssh/id_rsa
    ProxyCommand 	ssh -qW %h:%p gcp-jumphost

Host aws-* AWS-*
    HostName            %h
    Port                22
    User                mysshuser
    IdentityFile        ~/.ssh/id_rsa
    ProxyCommand        ssh -qW %h:%p aws-jumphost

Host azr-* AZR-*
    HostName            %h
    Port                22
    User                mysshuser
    IdentityFile        ~/.ssh/id_rsa
    ProxyCommand        ssh -qW %h:%p azr-jumphost

Testing connectivity

And now finally on the last step let’s test our solution by initiating a new SSH connection to one of our external servers like in the example below, simply open a new terminal window if you don’t have one already open and run the next command:


$ ssh aws-web-server-01

If everything has been configured correctly as per our then we should be able to SSH straight to our server without SSH-ing to our Jump Host anymore, we’re all set now and this is the part where our short tutorial about SSH client configuration for Jump Host ends.

Video

No video posted for this page.

Screenshots

No screenshots posted for this page.

Source code

No code posted for this page.

About this page

Article
SSH client configuration for Jump Host
Author
Category
Published
10/08/2018
Updated
15/11/2018
Tags

Share this page

If you found this page useful please share it with your friends or colleagues.