Jul 24, 2019 Jumping through tunnels (A guide to SSH-ProxyJump)
At some point, we've all been in an environment similar to the one shown above and had the fun experience of SSHing from one Jumpbox to the next in order to access a deployment in a more
secure environment. Now if this is a rare occurrence, it isn't a big issue. The real annoyance comes in when its a daily, hourly, or constant process and the time to jump between machines starts to really add up and impact productivity.
This is where
SSH Config and
ProxyJump come in to make life easier.
If you are not familiar with
SSH Config, it is a simple configuration file for
ssh that allows custom configurations to be specified and to alias those custom configurations. A simple example can be shown below that sets up
ServerAliveInterval for all hosts, and sets up aliases for a few servers.
Host * ServerAliveInterval 60 TCPKeepAlive no Host jumpbox-1 HostName jumpbox-1.example.com User daviddob IdentityFile /home/daviddob/.ssh/jumpbox-1.pem Host jumpbox-2 HostName 10.236.156.12 User admin IdentityFile /home/daviddob/.ssh/jumpbox-2.pem Host jumpbox-3 HostName sec.dx.prod.c1.az1.r1a.dc1.vsp.example.com User admin IdentityFile /home/daviddob/.ssh/jumpbox-3.pem Host deployment-1 HostName dep1.dx.prod.c1.az1.r1a.dc1.vsp.example.com User daviddob IdentityFile /home/daviddob/.ssh/deployment-1.pem
The above allows an operator to simply
ssh jumpbox-1 and have the User and HostName information automatically supplied. This is useful for simplifying the process overall and reduces the need for remembering complex and long dns names or IP Addresses when trying to SSH.
So how does this help with the above scenario? With the basic config shown above an operator would still have to
ssh jumpbox-1 then
ssh jumpbox-2 then
ssh jumpbox-3 then
ssh deployment-1. Its better, but requires multiple commands, and multiple SSH configs (one on each intermediate machine) as well as SSH keys stored on each machine.
This is where
ProxyJump comes in. If we rework our above SSH config a bit and have all of the associated SSH keys on our local machine, we can simplify the process quite a bit. The below config simply adds the
ProxyJump directive to each machine signifying which machine you need to jump through to get to the target machine.
Host * ServerAliveInterval 60 TCPKeepAlive no Host jumpbox-1 HostName jumpbox-1.example.com User daviddob IdentityFile /home/daviddob/.ssh/jumpbox-1.pem Host jumpbox-2 HostName 10.236.156.12 User admin IdentityFile /home/daviddob/.ssh/jumpbox-2.pem ProxyJump jumpbox-1 Host jumpbox-3 HostName sec.dx.prod.c1.az1.r1a.dc1.vsp.example.com User admin IdentityFile /home/daviddob/.ssh/jumpbox-3.pem ProxyJump jumpbox-2 Host deployment-1 HostName dep1.dx.prod.c1.az1.r1a.dc1.vsp.example.com User daviddob IdentityFile /home/daviddob/.ssh/deployment-1.pem ProxyJump jumpbox-3
This simple change allows an operator to
ssh deployment-1, wait a bit for all of the connections to be made, and get dropped into a shell on the
deployment-1 machine. So if you find yourself in a similar situation in the future, even if its only jumping through one box to get to another, maybe consider spending the 30 seconds to modify your ssh config and make the future that much easier.