Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any kind of network traffic through.
Many customers I work for are using a SSH hop server that is sitting behind a firewall. The hop server is the main point of entry to a certain network area, similar to a proxy.
The firewall is configured with port forwarding to forward any SSH requests directly to a specific hop server. From there you can then connect via SSH to another host in order to remotely administer that server via command line. This kind of setup allows the administrator to more effectively control who and from where people can connect to a server.
If you need to do quite a lot of work on the remote servers that are sitting behind the hop server, it can get quite annoying to go through all the steps to connect, because for every connection you would need to connect first to the hop server and then
connect to the desired remote server. It gets a bit more complicated if you try to send files from your client directly to the remote server, as you would need to send the file first to the hop server and from there to the remote server. Especially for bigger files you may not want to store them on the hop server first.
has some very nice features where it will use the hop server as a SSH proxy.
Access to an ssh hop server
nc or netcat has to be installed on the hop server
On your client create a new file called ~/.ssh/config
with the following content
ProxyCommand ssh -q amberJump nc vxs01 22
ProxyCommand ssh -q amberJump nc vxs02 22
ProxyCommand ssh -q amberJump nc vxs03 22
We have specified the hop server amberJump
that is being connected through the firewall. Then we have specified three hosts that should be redirected through amberJump.
nc (or netcat)
is a command to redirect TCP connections.
Now you can just SSH / SCP directly to your alias:
scp /some/file vxs01:/some/file
You can speed up the connection process if you enable the "reuse existing connections". This means that only the first time you connect to serverB will it take a few seconds longer. As long as this connection stays open, all new connections will be much more quickly be connected.
Now put the following lines to your ~/.ssh/config
file just below the User amber
SSH will then create files in your /tmp directory to keep track of your running connections.
is the hostname
It would look like this
If you would like to keep track of all your SSH connections, then you need to add the last two lines on the very top of your file. You can repeat the two lines and add them in any host section you want if you want to use different files.
What have we achieved? Well technically we connect exactly the same way as we would without this configuration. We still redirect our connection through amberJump (the hop server). The only thing that has changed is that OpenSSH is doing the step in between for us. It also allows us now to transfer files "directly" to the destination host. (The file is still being redirected through the hop server).