Setting up an SSH Jump Host

It's been a while since there was a tech post, so let's do one now ...

Today let's go over how to setup an SSH Jump host.

Basically speaking, a jump is an intermediate host that used to allow your SSH client to connect to its destination.

Typically, it is needed when network access between your client and the destination is not allowed.

Let's suppose you are trying to get to host b.blah.net. But that host is on a secure network, which denies you direct access.

The only way to get to that host is through a bastion host a.blah.net.

Assuming you have an account on both servers, then the easiest way to get to the host on the secure network is the first SSH to server a, then ssh to server b:

Johns-MacBook-Pro:~ jchung$ ssh jchung@a.blah.net

jchung@a.blah.net's password:

Last login: Wed Oct 25 11:24:03 2023 from *.*.*.*

$ ssh jchung@b.blah.net

jchung@b.blah.net's password:

Last login: Wed Oct 25 11:17:21 2023 from *.*.*.*

 

However ssh has a built-in jump option which is -J.

The syntax is:

ssh -J [jump host(s) separated by commas] [destination host]

Thus you can specify the entire command with the following:

ssh -J jchung@a.blah.net jchung@b.blah.net

Once you type this you will then be prompted for passwords to both servers.

In the event you need to have multiple jump servers, put all jump servers in order separated by commas in the first parameter.

ssh -J server1.blah.net,server2.blah.net server3.blah.net

 

Key Authentication

The -J option on SSH also works with key authentication. However it's different that directly SSH-ing to host A and then SSH-ing to host B.

When you SSH from your client to host A, the latter checks the key on your client. When you then SSH from host A to B, the latter host checks the public/private key on server A.

However, when you SSH using the -J option, BOTH servers A and B will check the key on your client. MORE SPECIFICALLY, Server B WILL NOT check the ssh keys on server A as in an actual two step SSH process.

Thus when you use SSH with the -J option, make sure both servers A and B have your id.pub file from your client in their respective .ssh/authorized_key files.

SFTP using a JUMP host

The -J option also works when transferring files using SFTP.

This is also much nicer than transferring files two times: once to the intermediate host and then to the destination host.

$ sftp -J jchung@a.blah.net jchung@b.blah.net

 

Defining an SSH Jump configuration in the .ssh/config file

Typing an SSH command using a jump host can get a bit long.

ssh -J jchung@a.blah.net b.blah.net

so finally, to same time you can add this in the config file:

# put this in the .ssh/config file

Host host-b
Hostname b.blah.net
Port 22
user jchung
Proxyjump jchung@a.blah.net

You can now ssh to host b using the string defined after the host directive

$ ssh host-b

 

 

Please login to post a reply
The contents of www.reluctant-tech-traveler.net are Copyright © 2023 Reluctant Tech Traveler.
All Rights Reserved.