0

Apologies if this has been asked before, but I am currently trying to find a solution to allow us to establish SSH connections similarly to how an RDP Gateway would work. For those unfamiliar, RDP Gateway allows you to essentially proxy RDP connections via another server. Remote Desktop will transparently authenticate with the RDP Gateway server and establish the connection to the endpoint server from there, allowing you to refer to the endpoint servers by private IP addresses or internal DNS names, limiting your exposure.

Currently what I'm thinking is to set up port forwarding through SSH so that every server we need to be able to access behind the tunnel proxy is on a different port that is being forwarded by the mid-point server. This doesn't feel like an optimal solution, however, so I'm interested to know if there is a better way to do this.

Adrian
  • 101

2 Answers2

1

In SSH terms you often talk about a bastion host or jump server - a single machine (typically in your DMZ) that accepts incoming SSH connections and from which you can then make a SSH connection to the actual systems you manage. 

                                                                             ==> | Server1 |
 _________                             ___________                         /      ---------
| user PC |   ===(SSH on port 22)===> | jump host |  ===(SSH on port 22)== ==+>  | Server2 | 
 _________                             ___________                         \      _________
                                                                             ==> | Server3 |

Often for improved security the jump server will require dual-factor authentication and/or will only accept incoming SSH sessions after establishing a VPN connection.

Rather than first logging on to the jump host and from the command prompt there starting the second SSH session OpenSSH allows you to configure that in a single command

I prefer to set all settings explicitly in my ~/.ssh/config with a short alias for each host. That way I won't need to use any commandline flags and can simply type less and use ssh Destination and be done with. 

Host jumphost
    Hostname jumphost.example.com
    User serverfault
    ForwardAgent yes
    AddKeysToAgent yes
    UseKeychain yes                                  # Specific to OS X 
    IdentityFile ~/.ssh/id_rsa.jumphost

Host server1
    Hostname server1.int.example.com
    User hbruijn 
    ForwardAgent yes
    AddKeysToAgent yes
    UseKeychain yes                                  # Specific to OS X
    IdentityFile ~/.ssh/id_rsa.int.example.com
    ProxyJump jumphost

ProxyJump is a relatively new setting that I find somewhat more intuitive to use then a ProxyCommand. Now ssh server1 will do exactly what you need, first create a session using serverfault@jumphost.example.com as a first hop from which you tunnel to your next hop with optionally a different ssh key and a different username hbruijn@server1.int.example.com.

You can also use the ProxyJump command directly in from the command line :

ssh -J serverfault@jumphost.example.com hbruijn@server1.int.example.com

A different approach is discussed in this Q&A

HBruijn
  • 80,330
  • 24
  • 138
  • 209
0

The canonical solution is to deploy IPv6 (and/or a VPN) and avoid this sort of workaround to begin with, but if you can't do that today then it is called a jump box or bastion host or similar terms. It's just a machine you put up that your users can log in to with ssh, then ssh further into internal hosts to which that box has network access. The ssh command even has a command line option which automates connecting through the jump host.

     -J destination
             Connect to the target host by first making a ssh connection to
             the jump host described by destination and then establishing a
             TCP forwarding to the ultimate destination from there.  Multiple
             jump hops may be specified separated by comma characters.  This
             is a shortcut to specify a ProxyJump configuration directive.
             Note that configuration directives supplied on the command-line
             generally apply to the destination host and not any specified
             jump hosts.  Use ~/.ssh/config to specify configuration for jump
             hosts.
Michael Hampton
  • 247,473