using the openssh ProxyCommand option

when trying to jump through a bastion host, ssh forwarding creates a socket in /tmp for the user. this can be dangerous in an environment where there are many people with root privileges on the bastion host.

to alleviate the need for ssh forwarding, the ProxyCommand option can instead be used to forward a connection through the bastion to a target host on an internal network behind it. however, this kind of connection can be difficult to troubleshoot since there are a lot more factors involved and sometimes limited access to the bastion.

the following examples assume:

  • the bastion, proxy host is jumpbox

    • the login is jumpuser

  • the internal, destination host is insidebox

    • the login is insideuser

  • the local workstation used as a starting point is myworkstation

    • the login is myself

if the following items are considered, the process can be relatively straightforward to accomplish:

  • use public key authentication. logins that require password prompts are a real pain to automate. (all of the following points assume the use of shared keys.)

  • passwordless keys are the simplest to use, but only keep the secret key, well protected, on the local host. on a machine with many root users, this is not practical.

  • verify file permissions on the local host, the bastion, and the destination host, especially $HOME, $HOME/.ssh, and all the files in $HOME/.ssh.

  • be sure to specify the login on each host if they differ. this might be seen, for instance, in AWS where the default system user is * ec2-user or ubuntu *.

  • ensure that tcp forwarding is enabled on the bastion’s _ /etc/ssh/sshd_config _.

  • the name specified for the destination host must be a name that the bastion can resolve in dns. for instance, if the outside world knows the destination host as * www.example.com , but the destination environment uses a local dns server, and its name is * server1.example.com *, then the destination must be specified as * server1 *, not *www (and possibly as fqdn’s).

the following command can be used on the command line to jump through the bastion to the destination, and takes all of these points into account:

        ssh -i /home/myself/secure/ssh/mykey -o "ProxyCommand \
          ssh -i /home/myself/secure/ssh/mykey ec2-user@prod.bamsvc.com \
          nc %h %p" ec2-user@svc1-prod1

to simplify the procedure, the * $HOME/.ssh/config * can be edited to contain the necessary options:

Host insidebox
        user myself
        IdentifyFile ~/secure/ssh/mykey
        ProxyCommand ssh -qti ~/secure/ssh/mykey myself@jumpbox nc %h %p

note that the -q and -t options are my own preferences, and not really necessary.