Hop through Jump Servers

January 10, 2019 Leave a comment
Bunnies can’t read!!!

Network isolation is a way of life.

It’s not like it was in the 90s when we’d find the occasional desktop on the same network segment as the Production servers.

With that comes a requirement that we ssh through a Jump Host on our way through to our target server.

But who wants to log in twice to get into a server?

ssh key pairs can help, but even then it’s not usually a “good idea” to store your private key on a bastion host that could be compromised.

Insert the following block into your ~/.ssh/config file and update it with your server information, then log into the target server (starbug) with a single command.

ssh <target>

#Bastion Host at the office
Host bastion
    HostName 184.50.220.213
    User lister
    IdentityFile ~/.ssh/id_rsa_Bastion

#Target Server at the office
Host starbug
    HostName 23.205.55.58
    ProxyCommand ssh bastion -W %h:%p
    IdentityFile ~/.ssh/id_rsa_Starbug

In the first Stanza:
We’ve given the jump server the name “bastion.” We can name it anything as long as we reference the same hostname in the second stanza. The actual hostname or IP address of the jump server is defined by the HostName line. Since we’re using ssh key pairs, we’ll want to specify the User (lister) and the locally stored private key used for authentication.

In the second Stanza:
We’ve given the target server the name “starbug.” We can name it anything, but it’s probably best to use the actual hostname of the target so we don’t get confused. =)

As before, the actual hostname or IP address of the target server is defined by the HostName line.

The ProxyCommand will issue the the ssh command to the bastion server in the first stanza. The -W option passes standard input and output to the client that’s initiating this entire chain.

And then, because we specified the -W, we can pull the private key used to authenticate us to the final target from our local home directory.

If you have more than one target server using the same jump server, you only need to list the stanza for the jump host once.

Note: Please make sure you’re following all appropriate security policies for your environment. It’s your responsibility to ensure that this procedure doesn’t violate any rules in your office.

Leave a Reply

Your email address will not be published. Required fields are marked *