Proxy SSH connections

Adrian asked:

Apologies if this has been asked before, but I am currently trying to find a solution to allow us to establish SSH connections similarly to how an RDP Gateway would work. For those unfamiliar, RDP Gateway allows you to essentially proxy RDP connections via another server. Remote Desktop will transparently authenticate with the RDP Gateway server and establish the connection to the endpoint server from there, allowing you to refer to the endpoint servers by private IP addresses or internal DNS names, limiting your exposure.

Currently what I’m thinking is to set up port forwarding through SSH so that every server we need to be able to access behind the tunnel proxy is on a different port that is being forwarded by the mid-point server. This doesn’t feel like an optimal solution, however, so I’m interested to know if there is a better way to do this.

My answer:

The canonical solution is to deploy IPv6 (and/or a VPN) and avoid this sort of workaround to begin with, but if you can’t do that today then it is called a jump box or bastion host or similar terms. It’s just a machine you put up that your users can log in to with ssh, then ssh further into internal hosts to which that box has network access. The ssh command even has a command line option which automates connecting through the jump host.

     -J destination
             Connect to the target host by first making a ssh connection to
             the jump host described by destination and then establishing a
             TCP forwarding to the ultimate destination from there.  Multiple
             jump hops may be specified separated by comma characters.  This
             is a shortcut to specify a ProxyJump configuration directive.
             Note that configuration directives supplied on the command-line
             generally apply to the destination host and not any specified
             jump hosts.  Use ~/.ssh/config to specify configuration for jump

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.