Archive for June, 2015

23
Jun
15

SSH Jump server in Mac

This config is a pretty common setup it allos one to use a jump server to access all other sevrers seemlesly. In this example my Jump server will be called jump.example.com and the protected serveres will be under the domain *.private.example.com. Without anyconfig i could access a server by doing something like the folllowing

ssh -t jump.example.com ssh server1.private.example.com.

However this is somewhat cumbersome so lets create a config that makes this seemless.

UPDATE: As per the comments you dont need the launchd section. Possible i originally did this so we dont have the cost of establishing an ssh tunnle each time. however with Control persist i doubt ther is much saving. as such the following is all that is needed

Host bastion
  DynamicForward localhost:1080
  HostName jump.example.com
  ProxyCommand none
Host *.private.example.com.
  ProxyCommand ssh bastion nc %h %p
  ServerAliveInterval 10

The first thing we need to do is create a tunnel to jump.exmaple.com, im using mac osx so this will be done in Launchd

#cat ~/Library/LaunchAgents/com.b4ldr.ssh-tunnel.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.b4ldr.ssh-tunnel</string>
  <key>OnDemand</key>
  <false/>
  <key>ProgramArguments</key>
  <array>
    <string>/usr/bin/ssh</string>
    <string>-C</string>
    <string>-N</string>
    <string>-c</string>
    <string>blowfish</string>
    <string>-o</string>
    <string>ServerAliveInterval=3</string>
    <string>bastion</string>
  </array>
</dict>
</plist>

This creates a launchd process which will automatically connect to the server bastion which is defined in my ~/.ssh/config file to act as a socks proxy with the following config, we could put the following config in the launchd job however this allows us to easily change which server is the jump box.

Host bastion
  DynamicForward localhost:1080
  HostName jump.example.com
  ProxyCommand none

Finally we need some config to tell all servers with a domain name of *.private.example.com. to forward its commands via the socks proxy

Host *.private.example.com.
  ProxyCommand nc -x localhost %h %p
  ServerAliveInterval 10

Finnaly load and start the plist

launchctl load ~/Library/LaunchAgents/com.b4ldr.ssh-tunnel.plist
launchctl start com.b4ldr.ssh-tunnel

Hope its useful

Advertisements