Stark & Wayne

Jumping through tunnels (A guide to SSH-ProxyJump)

At some point, we've all been in an environment similar to the one shown above and had the fun experience of SSHing from one Jumpbox to the next in order to access a deployment in a more secure environment. Now if this is a rare occurrence, it isn't a big issue. The real annoyance comes in when its a daily, hourly, or constant process and the time to jump between machines starts to really add up and impact productivity.

This is where SSH Config and ProxyJump come in to make life easier.

SSH Config

If you are not familiar with SSH Config, it is a simple configuration file for ssh that allows custom configurations to be specified and to alias those custom configurations. A simple example can be shown below that sets up TCPKeepAlive and ServerAliveInterval for all hosts, and sets up aliases for a few servers.

Host *
    ServerAliveInterval 60
    TCPKeepAlive no

Host jumpbox-1
    HostName jumpbox-1.example.com
    User daviddob
    IdentityFile /home/daviddob/.ssh/jumpbox-1.pem

Host jumpbox-2
    HostName 10.236.156.12
    User admin
    IdentityFile /home/daviddob/.ssh/jumpbox-2.pem

Host jumpbox-3
    HostName sec.dx.prod.c1.az1.r1a.dc1.vsp.example.com
    User admin
    IdentityFile /home/daviddob/.ssh/jumpbox-3.pem

Host deployment-1
    HostName dep1.dx.prod.c1.az1.r1a.dc1.vsp.example.com
    User daviddob
    IdentityFile /home/daviddob/.ssh/deployment-1.pem

The above allows an operator to simply ssh jumpbox-1 and have the User and HostName information automatically supplied. This is useful for simplifying the process overall and reduces the need for remembering complex and long dns names or IP Addresses when trying to SSH.

So how does this help with the above scenario? With the basic config shown above an operator would still have to ssh jumpbox-1 then ssh jumpbox-2 then ssh jumpbox-3 then ssh deployment-1. Its better, but requires multiple commands, and multiple SSH configs (one on each intermediate machine) as well as SSH keys stored on each machine.

ProxyJump

This is where ProxyJump comes in. If we rework our above SSH config a bit and have all of the associated SSH keys on our local machine, we can simplify the process quite a bit. The below config simply adds the ProxyJump directive to each machine signifying which machine you need to jump through to get to the target machine.

Host *
    ServerAliveInterval 60
    TCPKeepAlive no

Host jumpbox-1
    HostName jumpbox-1.example.com
    User daviddob
    IdentityFile /home/daviddob/.ssh/jumpbox-1.pem

Host jumpbox-2
    HostName 10.236.156.12
    User admin
    IdentityFile /home/daviddob/.ssh/jumpbox-2.pem
    ProxyJump jumpbox-1

Host jumpbox-3
    HostName sec.dx.prod.c1.az1.r1a.dc1.vsp.example.com
    User admin
    IdentityFile /home/daviddob/.ssh/jumpbox-3.pem
    ProxyJump jumpbox-2

Host deployment-1
    HostName dep1.dx.prod.c1.az1.r1a.dc1.vsp.example.com
    User daviddob
    IdentityFile /home/daviddob/.ssh/deployment-1.pem
    ProxyJump jumpbox-3

This simple change allows an operator to ssh deployment-1, wait a bit for all of the connections to be made, and get dropped into a shell on the deployment-1 machine. So if you find yourself in a similar situation in the future, even if its only jumping through one box to get to another, maybe consider spending the 30 seconds to modify your ssh config and make the future that much easier.