<

Go Premium for a chance to win a PS4. Enter to Win

x

Transparent SSH Hopping

Published on
9,450 Points
2,850 Views
1 Endorsement
Last Modified:
Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any kind of network traffic through.  

Many customers I work for are using a SSH hop server that is sitting behind a firewall. The hop server is the main point of entry to a certain network area, similar to a proxy.

The firewall is configured with port forwarding to forward any SSH requests directly to a specific hop server. From there you can then connect via SSH to another host in order to remotely administer that server via command line. This kind of setup allows the administrator to more effectively control who and from where people can connect to a server.

If you need to do quite a lot of work on the remote servers that are sitting behind the hop server, it can get quite annoying to go through all the steps to connect, because for every connection you would need to connect first to the hop server and then connect to the desired remote server. It gets a bit more complicated if you try to send files from your client directly to the remote server, as you would need to send the file first to the hop server and from there to the remote server. Especially for bigger files you may not want to store them on the hop server first.

OpenSSH has some very nice features where it will use the hop server as a SSH proxy.

Prerequisites

Access to an ssh hop server
nc or netcat has to be installed on the hop server

Overview

Layout
On your client create a new file called ~/.ssh/config with the following content
Host amberJump
  HostName public.domain.com
  Port 22
  User amber
 
Host vxs01
  ProxyCommand ssh -q amberJump nc vxs01 22

Host vxs02
  ProxyCommand ssh -q amberJump nc vxs02 22

Host vxs03
  ProxyCommand ssh -q amberJump nc vxs03 22

Open in new window

We have specified the hop server amberJump that is being connected through the firewall. Then we have specified three hosts that should be redirected through amberJump.

The ProxyCommand
nc (or netcat) is a command to redirect TCP connections.

Now you can just SSH / SCP directly to your alias:
ssh vxs01

Open in new window


or
scp /some/file vxs01:/some/file

Open in new window

Reusing Connections

You can speed up the connection process if you enable the "reuse existing connections". This means that only the first time you connect to serverB will it take a few seconds longer. As long as this connection stays open, all new connections will be much more quickly be connected.

Now put the following lines to your ~/.ssh/config file just below the User amber
ControlMaster auto
ControlPath   /tmp/%h_%p_%r

Open in new window

SSH will then create files in your /tmp directory to keep track of your running connections.

%h is the hostname
%p the port
%r the user

It would look like this
Host amberJump
  HostName public.domain.com
  Port 22
  User amber
  ControlMaster auto
  ControlPath   /tmp/%h_%p_%r

Open in new window


If you would like to keep track of all your SSH connections, then you need to add the last two lines on the very top of your file. You can repeat the two lines and add them in any host section you want if you want to use different files.

What have we achieved? Well technically we connect exactly the same way as we would without this configuration. We still redirect our connection through amberJump (the hop server). The only thing that has changed is that OpenSSH is doing the step in between for us. It also allows us now to transfer files "directly" to the destination host. (The file is still being redirected through the hop server).
1
Comment
1 Comment
 
 

Administrative Comment

by:Eric AKA Netminder
un1x86.

Congratulations; your article has been published. Thank you for a nice explanation.

ericpete
Page Editor
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Join & Write a Comment

Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month9 days, 2 hours left to enroll

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month