Transparent SSH Hopping

Chris SandriniSenior System Engineer
Published:
Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any kind of network traffic through.  

Many customers I work for are using a SSH hop server that is sitting behind a firewall. The hop server is the main point of entry to a certain network area, similar to a proxy.

The firewall is configured with port forwarding to forward any SSH requests directly to a specific hop server. From there you can then connect via SSH to another host in order to remotely administer that server via command line. This kind of setup allows the administrator to more effectively control who and from where people can connect to a server.

If you need to do quite a lot of work on the remote servers that are sitting behind the hop server, it can get quite annoying to go through all the steps to connect, because for every connection you would need to connect first to the hop server and then connect to the desired remote server. It gets a bit more complicated if you try to send files from your client directly to the remote server, as you would need to send the file first to the hop server and from there to the remote server. Especially for bigger files you may not want to store them on the hop server first.

OpenSSH has some very nice features where it will use the hop server as a SSH proxy.

Prerequisites

Access to an ssh hop server
nc or netcat has to be installed on the hop server

Overview

Layout
On your client create a new file called ~/.ssh/config with the following content
Host amberJump
                        HostName public.domain.com
                        Port 22
                        User amber
                       
                      Host vxs01
                        ProxyCommand ssh -q amberJump nc vxs01 22
                      
                      Host vxs02
                        ProxyCommand ssh -q amberJump nc vxs02 22
                      
                      Host vxs03
                        ProxyCommand ssh -q amberJump nc vxs03 22

Open in new window

We have specified the hop server amberJump that is being connected through the firewall. Then we have specified three hosts that should be redirected through amberJump.

The ProxyCommand
nc (or netcat) is a command to redirect TCP connections.

Now you can just SSH / SCP directly to your alias:
ssh vxs01

Open in new window


or
scp /some/file vxs01:/some/file

Open in new window

Reusing Connections

You can speed up the connection process if you enable the "reuse existing connections". This means that only the first time you connect to serverB will it take a few seconds longer. As long as this connection stays open, all new connections will be much more quickly be connected.

Now put the following lines to your ~/.ssh/config file just below the User amber
ControlMaster auto
                      ControlPath   /tmp/%h_%p_%r

Open in new window

SSH will then create files in your /tmp directory to keep track of your running connections.

%h is the hostname
%p the port
%r the user

It would look like this
Host amberJump
                        HostName public.domain.com
                        Port 22
                        User amber
                        ControlMaster auto
                        ControlPath   /tmp/%h_%p_%r

Open in new window


If you would like to keep track of all your SSH connections, then you need to add the last two lines on the very top of your file. You can repeat the two lines and add them in any host section you want if you want to use different files.

What have we achieved? Well technically we connect exactly the same way as we would without this configuration. We still redirect our connection through amberJump (the hop server). The only thing that has changed is that OpenSSH is doing the step in between for us. It also allows us now to transfer files "directly" to the destination host. (The file is still being redirected through the hop server).
1
3,916 Views
Chris SandriniSenior System Engineer

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.