Mark Needham

Thoughts on Software Development

SSHing onto machines via a jumpbox

with 4 comments

We wanted to be able to ssh into some machines which were behind a firewall so we set up a jumpbox which our firewall directed any traffic on port 22 towards.

Initially if we wanted to SSH onto a machine inside the network we’d have to do a two step process:

$ ssh jumpbox
# now on the jumpbx
$ ssh internal-network-machine

That got a bit annoying after a while so Sam showed us a neat way of proxying the second ssh command through the first one by making use of netcat.

We put the following into ~/.ssh/config:

Host jumpbox jumpbox-ip
 Hostname jumpbox-ip
 User     user
 IdentityFile ~/.ssh/id_rsa
 ProxyCommand none
 
Host internal-network-machine
  Hostname internal-network-machine-ip
 
Host 10.*
 User     ubuntu
 ProxyCommand ssh jumpbox exec nc -w 9000 %h %p
 UserKnownHostsFile /dev/null
 StrictHostKeyChecking no

The ‘-w 9000′ flag defines a 2 1/2 hour wait period so that any orphaned connections will die off within that time.

%h and %p represent the host and port of the internal machine so in this case %h is ‘internal-network-machine-ip’ and the port will be 22.

We can then just do the following to ssh into the machine:

ssh internal-network-machine

Which is pretty neat!

This is explained further on benno’s blog and on the Open BSD journal.

Written by Mark Needham

August 10th, 2012 at 12:58 am

Posted in Shell Scripting

Tagged with ,

  • Mike Wagg

    Nice tip

  • Risa-chan

    Umm:

    UserKnownHostsFile /dev/null
    StrictHostKeyChecking no

    Are you insane? Yes i know its your local network but umm… that doesnt mean to /blindly/ violate the trust model…

    Oh wait, i see:
    User ubuntu

    That explains /everything/.

  • http://www.markhneedham.com/blog Mark Needham

    @42b8cc3a783e55fa8eac6831147dcccb:disqus yeh you’re right, I think we actually discussed that and changed those two lines after I wrote about this. I haven’t worked at the place where we were doing that for 6 months though so I can’t check the code!

  • Risa-chan

    @Mark Needham Hehe just be careful out there, SSH Man in the Middle attacks are very easy to implement, even behind the highest firewall :)