Here’s how you pass all ssh connections through a single bastion host:

  • First, set up passwordless ssh between you and the bastion. There’s a billion and one guides on google for how to do this, so I’m going to skip this step and assume you know this one.
  • Then you will need to edit the file /home/username/.ssh/config and inside of that file, put the following details:

    Host nameorip.of.bastion.server
    StrictHostKeyChecking no
    User username
    ProxyCommand none
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p
    Host *
    ProxyCommand ssh -qax nameorip.of.bastion.server ‘nc -w 600 %h %p’

  • Once that is done, you save the file.

Ta dah! All of your ssh connections will now be routed through that host.

Now, you may want to flip back and forth (like I do). The way I did this was to create two files

/home/username/.ssh/config.on
/home/username/.ssh/config.off

Inside of config.on is what I detailed above. Inside of config.off is what the config file was set to before I set the above up (ie, not passing through bastion). I then modified /home/username/.bash_profile and set the following two aliases:

alias baston=’cp -f /home/username/.ssh/config.on /home/username/.ssh/config’
alias bastoff=’cp -f /home/username/.ssh/config.off /home/username/.ssh/config’

type

source /home/username/.bash_profile

Now when I want to route my connections through the bastion, I type “baston” and then move ahead. To disable routing it through the bastion, I type “bastoff”.

Simple, but like I said. I had never really learned how to do this previously due to a lack of real need on my part until recently. As usual, it was easy peasy once you just look into how it is done.


Category: linux
Tags: ,

2 Responses to proxy SSH through a bastion host

  1. Morris says:

    Thanks for this! And if I may add a suggestion to fully automate process of switching between config.on and config.off; you can configure the system to do this automatically when connecting to the Internet. You can add a script to /etc/network/if-up.d/ , which will be executed once the network connection comes up. This script can turn the bastion on or off based on the network name. E.g. when connecting to your work-network you might want the bastion to be disabled, but it should be enabled once connected to your home-network. To do so, create a file named ‘config-bastion’ in /etc/network/if-up.d/ and add the following contents:
    #!/bin/bash
    # Called when a new interface comes up (tested on Ubuntu 14.04)
    # replace ‘work_network_name’ and ‘username’ with your own values

    SSID=$(iwgetid -r)
    if [[ $SSID == “work_network_name” ]]; then
    echo “turning bastion OFF”;
    cp -f /home/username/.ssh/config.off /home/username/.ssh/config;
    else
    echo “turning bastion ON”;
    cp -f /home/username/.ssh/config.on /home/username/.ssh/config;
    fi

    Don’t forget to change ‘work_network_name’ with the network name for which you don’t want the bastion to be enabled. You can check your current network name with ‘wgetid -r’. You can test to check if the script functions accordingly through: “sudo ifup –all -v”, and look for the output “turning bastion OFF” or “turning bastion ON”

    • alex says:

      Sorry for the delay approving this comment. I was in California cycling down the coast. 🙂 Excellent tip!

Leave a Reply

Categories


gives good tech

tech.superhappykittymeow.com
Kale is one of the smartest people I know

Racker Hacker
Major is always good for leet deetz