|
|
|
|
|
|
by mmalone
2247 days ago
|
|
|
You can also use the `ProxyJump` directive in your `~/.ssh/config`, which is the same as `-J` on the command line. So, for example: Host host_final
ProxyJump user1@host1
will do the same thing as `-J user1@host`, but will allow you to just type: ssh user_final@host_final
If you're using an older SSH you can do this with a `ProxyCommand` (requires netcat on the jump box, but that's pretty standard): Host host_final
ProxyCommand ssh user1@host1 nc %h %p
There are a bunch of variations on this technique, but these are the most common configs. Super easy transparent bastioning.You can get really fancy with this stuff, particularly with `ProxyCommand`. We use it to trigger auto-login for our "Single sign-on for SSH" product at smallstep. When you have a `ProxyCommand` configured, instead of opening its own socket, OpenSSH just execs your proxy command and expects stdin & stdout to end up connected to a socket to the remote server. It doesn't care how that happens or what else happens before you get there. So we (ab)use this as a hook to check if you have a valid SSH certificate in your `ssh-agent` and, if you don't, trigger a single sign-on flow. It's nifty. If you've never read the man pages for `ssh_config` and `sshd_config`, I highly recommend it. It's not that long and there's a lot of good stuff in there. |
|
|
Even without ProxyJump, you can do something similar with ProxyCommand without netcat:
(Granted, this is still more recent, but I think ProxyJump was introduced later than this.)