SSH Jump Server

One of the simplest solutions to get access to services behind the NAT gateway is to go through the jump/bastion ssh server. OpenSSH itself has some features like port-forwarding to make it simpler without having full shell access. Setting up this kind of access will be the main topic of this blog post.

In this scenario, we’re granting ssh access to only the selected host through the jump server without giving shell access to the jump server, moreover, we want to expire the access automatically. Let’s put the selected public key into the selected user on the jump server in the following location ~/.ssh/authorized_keys. To start limiting we need to figure out what are the possibilities. From the list I pick up some of them and prepare the full authorized_keys entry:

expiry-time="20221024",command="",restrict,port-forwarding,permitopen="<ssh_host_behind_jump_server>:22" ssh-ed25519 <pubkey>

The restrict option do most of the limitation plus the self-explanatory expire, permitopen is the one host that can be used to connect through the jump server.

From the client perspective to establish a connection just run:

$ ssh -J <jump_user>@<jump_server> user@<ssh_host_behind_jump_server>
(user@<ssh_host_behind_jump_server>) Password:

the -J option stands for ProxyJump, what it does is connects to the selected jump host and establish the port-forwarding connection to the destination SSH server, it was specified in the permitopen option. We can put many ProxyJump servers, to make it simple without writing all the ssh switches when can describe them into ~/.ssh/config:

$ cat ~/.ssh/config
Host <ssh_host_behind_jump_server>
    HostName <ssh_host_behind_jump_server>
    User user
    ProxyJump jump_server
Host jump_server
    Hostname <jump_server>
    User <jump_user>

$ ssh <ssh_host_behind_jump_server>
(user@<ssh_host_behind_jump_server>) Password:

Pretty neat option to start with accessing internal services without putting too much effort and with pretty good auditable concentrated in a single tool OpenSSH.

comments powered by Disqus
#ssh #proxyjump

powered by Hugo and Noteworthy theme