SSHing onto machines via a jumpbox
We wanted to be able to ssh into some machines which were behind a firewall so we set up a jumpbox which our firewall directed any traffic on port 22 towards.
Initially if we wanted to SSH onto a machine inside the network we’d have to do a two step process:
$ ssh jumpbox # now on the jumpbx $ ssh internal-network-machine
That got a bit annoying after a while so Sam showed us a neat way of proxying the second ssh command through the first one by making use of netcat.
We put the following into ~/.ssh/config:
Host jumpbox jumpbox-ip Hostname jumpbox-ip User user IdentityFile ~/.ssh/id_rsa ProxyCommand none Host internal-network-machine Hostname internal-network-machine-ip Host 10.* User ubuntu ProxyCommand ssh jumpbox exec nc -w 9000 %h %p UserKnownHostsFile /dev/null StrictHostKeyChecking no
The ‘-w 9000′ flag defines a 2 1/2 hour wait period so that any orphaned connections will die off within that time.
%h and %p represent the host and port of the internal machine so in this case %h is ‘internal-network-machine-ip’ and the port will be 22.
We can then just do the following to ssh into the machine:
ssh internal-network-machine
Which is pretty neat!
This is explained further on benno’s blog and on the Open BSD journal.
-
Mike Wagg
-
Risa-chan
-
http://www.markhneedham.com/blog Mark Needham
-
Risa-chan
