SSHing onto machines via a jumpbox
We wanted to be able to ssh into some machines which were behind a firewall so we set up a jumpbox which our firewall directed any traffic on port 22 towards.
Initially if we wanted to SSH onto a machine inside the network we’d have to do a two step process:
$ ssh jumpbox
# now on the jumpbx
$ ssh internal-network-machineThat got a bit annoying after a while so Sam showed us a neat way of proxying the second ssh command through the first one by making use of netcat.
We put the following into ~/.ssh/config:
Host jumpbox jumpbox-ip
Hostname jumpbox-ip
User user
IdentityFile ~/.ssh/id_rsa
ProxyCommand none
Host internal-network-machine
Hostname internal-network-machine-ip
Host 10.*
User ubuntu
ProxyCommand ssh jumpbox exec nc -w 9000 %h %p
UserKnownHostsFile /dev/null
StrictHostKeyChecking noThe '-w 9000' flag defines a 2 1/2 hour wait period so that any orphaned connections will die off within that time.
%h and %p represent the host and port of the internal machine so in this case %h is 'internal-network-machine-ip' and the port will be 22.
We can then just do the following to ssh into the machine:
ssh internal-network-machineWhich is pretty neat!
This is explained further on benno’s blog and on the Open BSD journal.
About the author
I'm currently working on short form content at ClickHouse. I publish short 5 minute videos showing how to solve data problems on YouTube @LearnDataWithMark. I previously worked on graph analytics at Neo4j, where I also co-authored the O'Reilly Graph Algorithms Book with Amy Hodler.