Using SSH Jump Hosts

Posted on Tue 17 May 2022 in Sysadmin

Article summary: useRalativeImagePath

We have a server that is used as a gateway SSH server, meaning the server is used to gain access to our research servers and other machines for users who are on an external network.

The SSH gateway server responds on port 22 to internal networks and on another port(2222 for example) for external networks. Those coming from external networks on port 2222 have more stringent security requirements imposed on their connections.

The problem is that one has to SSH to the gateway server and then from there to one's destination. It would be nice to simplify this a bit. So let me show you what I do.

Assumptions:

  • gate.math.wisc.edu is the SSH gateway machine that listens on port 2222 for external networks
  • Your SSH configuration files are in ~/.ssh. If you are running OpenSSH on Windows your files are in *c:\Users\YourUserName.ssh*.
  • You have SSH key authentication set up. If not, you'll just get prompted for passwords more than I do.

Add these lines to ~/.ssh/config:

Host gate.r
  HostName gate.math.wisc.edu
  Port 2222
  User myusername
  ForwardAgent yes

The ForwardAgent line is needed to ensure that the jump host can access your SSH agent when connecting to the target server so that your SSH keys can be used for that connection.

Then append these lines to ~/.bashrc:

alias sshr="ssh -J gate.r "
alias scpr="scp -J gate.r "

I like to create the "gate.r" alias to set it apart from other Host entries I may have for "gate" or "gate.math.wisc.edu". You can just use the full name if you wish.

The -J switch in the alias above defines a "jump host" that SSH will use to relay connections. So when connecting to a machine using the gateway server you just run one command. Example:

sshr server1.math.wisc.edu

This will SSH to gate.math.wisc.edu and from there immediately and transparently SSH to server1.

Another tip: set up short names for your hosts in ~/.ssh/config:

Host server1.math.wisc.edu server1.math server1
    HostName server1.math.wisc.edu
      User me3

This way you can just run "ssh server1" to connect from external networks(where your machine may not automatically append the domain the target server is using).

me@compy386:~$ sshr server1
Welcome to Ubuntu 3.14 LTS (GNU/Linux 2.6.3-generic x86)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Tue May 17 11:39:37 2022 from 4.2.2.2
me3@server1:~$

ssh