Preface
In daily operation and maintenance or development work, we often need to access servers deployed on the intranet. However, due to security policy or network topology restrictions, intranet servers do not directly expose ports to the outside world, making it impossible for us to "directly connect" to them. at this time,Springboard machine(Jump Host/Bastion Host) has become an essential transit:
- First log in to the springboard machine through SSH;
- Then log in to the target server from the spring machine.
Although such a process can ensure safe isolation, it also brings a certain degree of inconvenience: we have to "log in twice" every time, and even manually enter multiple passwords or switch between multiple terminal windows, which is very cumbersome. Sometimes it is necessary to frequently copy and paste commands between the springboard machine and the target host, which inevitably affects efficiency.
So is there any waystay safeUnder the premise of simplifying the connection process and achieving "one-step direct access" to the target host? The answer issome. This article will explain how to configure via SSH - mainlyProxyJump(-Jparameters) orProxyCommand, to automatically complete the "springboard" step, allowing us to directly connect to the intranet server with a local command.
Background information
-
Bastion Host/Jump Host
The springboard is usually located at the edge of the controlled network and is the only secure transit station open to external SSH/port access. External users can only log in to other hosts on the intranet through the springboard machine, which acts as a security protection. - Pain points of secondary login
- Cumbersome operation: every time you need
ssh jump-hostLog in againssh target-server。 - Entering credentials multiple times: If key sharing or SSH Agent forwarding is not done, passwords often need to be entered repeatedly.
- Error-prone: If you frequently switch between multiple servers, you may accidentally execute commands in the wrong terminal window.
- Cumbersome operation: every time you need
- The role of SSH configuration forwarding
- Using SSH's built-in proxy function allows the local SSH client toautomaticEstablish a tunnel through a springboard machine, eliminating the need for manual secondary login.
- To the user, it is like logging in directly to the target server; to the network, data will still be forwarded via the springboard, which still meets policy requirements from a security and compliance perspective.
- Compatibility and version requirements
-
ProxyJump(
-J) requires OpenSSH 7.3+. - ProxyCommandApplies to earlier versions of SSH and has better compatibility, but the configuration is slightly more complicated.
-
ProxyJump(
Through these methods, we can log in to the target server in one step while maintaining the integrity of the network and security policies. Next, we will explain how to configure and use it with examples.
Traditional SSH secondary login method
In the traditional SSH login process, especially in scenarios involving springboard machines, we usually need to perform the following two steps:
-
Step 1: Log in to the springboard machine
Assume we already know the address of the springboard machineand open ports (such as10023), we first connect to this springboard machine via SSH:ssh -p 10023 user@At this point, the SSH client will ask us for login credentials (such as a password or key). If we do not configure the public key on the springboard machine, we need to manually enter the password or configure SSH Key to achieve password-free login.
-
Step 2: Log in to the target host from the springboard machine
After logging in to the springboard machine, we need to perform a second SSH login to enter the target server:ssh user@At this time, we again need to provide the login credentials of the target host, or configure an SSH key for password-free login. If the target host and the springboard machine are not in the same network segment, there may also be network policy or firewall problems, causing the connection to fail.
Disadvantages and pain points
-
Cumbersome operating steps: You need to enter multiple commands each time, making the operation complex and time-consuming.
- If the target server is in a different network environment, the steps of this operation may be increased and the efficiency will be lower.
- Enter credentials multiple times: Entering your password or SSH key manually every time is error-prone, especially if the keys are not managed properly.
- Switch windows or multitask: Multiple SSH sessions need to be opened separately to manage the springboard machine and target server. This will cause a confusing interface, which is especially difficult to manage when the operation is complex.
Introduction to the principle: SSH springboard configuration
In the traditional SSH login process, we need to manually perform two SSH login operations. Not only does this increase the workload, it can also lead to delays in connection and unnecessary duplication of steps. So, how can you simplify this process while ensuring security?
The answer is via SSHJump Host configuration, to realize the automated connection process. SSH itself provides two main ways to handle this springboard scenario:ProxyJumpandProxyCommand. Both methods allow us to complete the connection from the local to the target server in one command without the need to manually log in to the spring machine.
1. ProxyJump(recommended method)
Starting from OpenSSH version 7.3, SSH introduces a new parameter-J, this parameter allows us to directly specify the springboard machine. By using-JParameters, we can let the SSH client automatically connect to the springboard machine first, and then forward the traffic to the target host through the springboard machine to complete access to the target host. This method is simple and direct, and is recommended.
Example command:
ssh -J user@:10023 user@
In this command,-JThe address of the springboard machine is specified later (user@) and port (10023). SSH will first establish a connection with the springboard machine, and then forward the traffic to the target server through the springboard machine.. The entire process requires only one login operation, greatly simplifying the access process.
2. ProxyCommand(Better compatibility)
For older versions of SSH clients, or in some special scenarios (such as using other protocols or more complex forwarding configurations), you can useProxyCommandTo achieve springboard machine configuration.ProxyCommandThe SSH client allows us to define custom commands to establish a connection mechanism, through which we can specify the command of the springboard machine.
Example command:
ssh -o "ProxyCommand ssh -W %h:%p user@ -p 10023" user@
In this command,-o "ProxyCommand"The option specifies a custom command to connect via the springboard. Specifically,ssh -W %h:%pwill transfer the target host (%h) and port (%p) is forwarded to the springboard machine, and then a connection with the target host is established through the springboard machine.
Although this method is more complex to configure, it has greater flexibility and supports more customized needs.
By configuring the springboard machine, we can avoid manually logging in to the springboard machine and then logging in to the target host every time. EitherProxyJumpstillProxyCommand, can greatly simplify our operating procedures and improve efficiency.ProxyJumpis the recommended way, as it is more concise and easier to use, and works with most modern OpenSSH client versions.
In the next section, we'll detail how to configure these options to quickly achieve seamless SSH springboard connections.
Springboard configuration method
Method 1: Use-J(ProxyJump) parameters
As mentioned before,-JParameters are a feature provided by OpenSSH 7.3 and above. It allows us to specify the springboard machine in one command, thus simplifying the process of accessing the intranet server. Compared with the traditional secondary login method, using-JThe parameters allow us to log in to the target host directly through the spring machine, avoiding the cumbersome two SSH login operations.
1. basic grammar
-JThe basic syntax format of parameters is as follows:
ssh -J <jump-user>@<jump-host>:<port> <target-user>@<target-host>
-
<jump-user>: The user name of the springboard machine -
<jump-host>: The address of the springboard machine (can be a domain name or IP) -
<port>: The port of the springboard machine (the default is 22, which can be modified according to the actual situation) -
<target-user>:Username of the target server -
<target-host>: The address of the target server (can be a domain name or IP)
2. Example command
Assume you already have the following connection information:
- Springboard machine:
,port:10023 - Target server:
- username:
user
You can use the following command to connect to the target server directly through the springboard:
ssh -J user@:10023 user@
When you execute this command, the SSH client will first communicate with the springboard machinevia the specified port (10023) establishes a connection and then automatically forwards it from the spring machine to the target server, just like logging into the target server directly. The process is completely transparent to the user and you only need to provide your credentials once (username and password or SSH key) to connect.
3. Password-free login
If you have configured an SSH key pair and added the public key to the springboard and target host's authorization files, use-Jparameter, SSH automatically uses the key for authentication without having to manually enter a password. For example:
ssh -J user@:10023 -i /path/to/private_key user@
In this way, you can achieve a completely password-free connection, further improving login efficiency.
4. used in configuration fileProxyJump
If you don’t want to manually enter the address and port of the springboard machine in the command line every time, you can-JConfiguration written to SSH configuration file~/.ssh/config. This way, you can set up simple aliases and configurations for different servers without having to re-enter them.
exist~/.ssh/configfile, you can configure it like this:
Host target-server
HostName
User user
ProxyJump user@:10023
After the configuration is complete, you only need to execute the following command:
ssh target-server
SSH will automatically use theProxyJumpParameters, first connect to the springboard machine, and then forward to the target server。
5. advantage
-
Simple and efficient:pass
-Jparameters, the SSH client will automatically handle the connection and forwarding of the springboard machine, avoiding the need to manually enter the command twice. - Support password-free login: By configuring an SSH key pair, password-free login can be achieved, further improving efficiency.
-
Flexible configuration:can pass
~/.ssh/configThe file sets springboard configurations for multiple target hosts to simplify management.
This is using-JParameters (ProxyJump) to simplify the basic method of SSH springboard connection. It not only improves work efficiency, but also avoids the tedium of manually entering passwords or commands multiple times. If your version of SSH supports-JParameters, this is undoubtedly the simplest and most direct solution.
Method 2: UseProxyCommand
Before OpenSSH 7.3,-JParameters have not yet appeared, and there is no neat way for SSH clients to directly support springboards. However, we can passProxyCommandTo achieve similar functions, this method is similar to-JBetter compatibility than for older versions of SSH clients or those that don't support-Jparameters.
ProxyCommandAllows us to specify a command as a springboard connection method. Usually we can usenc(netcat) command to realize the connection of the springboard machine. In this way, when connecting to the target host, the SSH client will first establish a proxy connection with the springboard machine, and then forward the data flow through the proxy connection.
1. basic grammar
Used in SSH configuration filesProxyCommandThe basic syntax is as follows:
Host <target-host>
ProxyCommand ssh -q -W %h:%p <jump-user>@<jump-host> -p <port>
-
<target-host>: The address of the target host, which can be a domain name or IP. -
<jump-user>: The user name of the springboard machine. -
<jump-host>: The address of the springboard machine (can be a domain name or IP). -
<port>: The port of the springboard machine (default is 22, if there is a special port, you need to specify it). -
%hand%p: Indicates the host name and port of the target host, which will be automatically replaced by SSH when connecting.
2. Configuration example
In order to achieve the function of accessing the target host through the springboard machine, we can add the following configuration to the configuration file of the SSH client (~/.ssh/config):
Host
ProxyCommand ssh -q -W %h:%p user@ -p 10023
This configuration means that every time we try to connect, the SSH client will first go through the springboard machine(port10023) establishes a connection and then forwards the traffic to the target server through the springboard.
3. Use simplified commands after configuration
ConfiguredProxyCommandAfter that, we no longer need to specify the springboard machine and port in the command line. Just execute the following command:
ssh user@
The SSH client will automatically passProxyCommandConfigure the connection to the springboard machine and forward the connection to the target host, the entire process does not require manually specifying any parameters of the springboard machine.
4. Configuration file flexibility
in useProxyCommandThe flexibility of the configuration file allows us to configure different springboard machines for different target hosts. Assuming you have multiple intranet target hosts, you can add different configurations for each target host:
Host
ProxyCommand ssh -q -W %h:%p user@ -p 10023
Host
ProxyCommand ssh -q -W %h:%p user@ -p 10023
In this way, when accessing different targets, you only need to enter the corresponding host name (such asssh user@), the SSH client will automatically select the springboard machine for connection based on the configuration.
5. summary
ProxyCommandProvides a flexible and highly compatible way to help us when we do not support-JThe function of connecting to the target server through the springboard machine is implemented in the SSH client of the parameters. Although this method is slightly more complex, it is still a very effective solution, especially for users who need to use it in multiple environments.
In this way, you can easily connect to the target server from your local machine through a springboard without having to log in twice manually, thus saving time and improving efficiency. If you are using an older version of OpenSSH client,ProxyCommandDefinitely a great alternative.
Advanced: SSH key management / multiple springboards
When connecting using SSH, it is generally recommended to use an SSH key pair for authentication instead of using a password. Not only does this improve security, it also eliminates the need to manually enter your password every time you log in. In addition, when multiple springboard machines are involved or more complex SSH configuration is required, we can further simplify the connection process through some advanced settings.
1. SSH key management
SSH key authentication is a more secure and convenient way to authenticate. Compared with password authentication, key authentication has obvious advantages in the following aspects:
- More security: Passwords are easy to guess or crack with brute force, while SSH keys are generated through encryption algorithms and are more difficult to crack.
- Password-free login: After configuring the public and private key pairs, users can automatically log in without entering a password.
Step 1: Generate an SSH key pair
If you don't have an SSH key pair yet, you can generate one with the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@"
this will be in~/.ssh/Generate a pair of public keys in the directory (id_rsa.pub) and private key (id_rsa). During the generation process, you can set the key's filename and password (optional).
Step 2: Copy the public key to the spring machine and target host
In order for key authentication to take effect, we need to copy the public key to the target host and springboard machine.~/.ssh/authorized_keysin the file. Can be usedssh-copy-idcommand to do this automatically:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@
ssh-copy-id -i ~/.ssh/id_rsa.pub user@
After executing these two commands, you can complete password-less login through the SSH key pair.
2. Configuration of multiple springboard machines
Sometimes, we need to use multiple springboards (Multi-hop) to access the target server. In this case, we can continue to useProxyCommandor-JParameters to realize the configuration of multiple springboard machines.
2.1 Use-JParameter configuration multi-springboard machine
Assume that we need to use two springboard machines to access the target server. The first springboard machineand the second spring machine. You can use the following commands:
ssh -J user@:10023 -J user@:10023 user@
In this command, the SSH client will first connect to, and then fromjump1forward connection to, finally passedjump2Forward to target server。
2.2 UseProxyCommandConfigure multiple springboard machines
If we are using an older version of the SSH client, or prefer to manually configure the settings of the SSH client, we can do so in the SSH configuration file (~/.ssh/config) for multi-spring machine settingsProxyCommand. Examples are as follows:
Host
ProxyCommand ssh -q -W %h:%p user@ -p 10023
ProxyCommand ssh -q -W %h:%p user@ -p 10023
In this configuration, the SSH client first goes throughEstablish a connection and then passForward traffic to destination host。
3. Configure keys for multiple target hosts
If you have multiple target hosts, and each target host uses a different SSH key for authentication, you can configure different keys for the different hosts. can passIdentityFileParameters to specify different private key files. For example, in an SSH configuration file, you can set a different SSH key for each host:
Host
IdentityFile ~/.ssh/id_rsa_target1
Host
IdentityFile ~/.ssh/id_rsa_target2
This way, when you connect toor, the SSH client will automatically use the corresponding private key for authentication.
4. Optimize connection speed: use ControlMaster
During the connection process, each connection to the springboard and target hosts involves establishing a new SSH session. In order to improve efficiency and reduce connection delays, we can use SSH'sControlMasterfeature to speed up subsequent connections by reusing existing SSH sessions. You can add the following configuration to the SSH configuration file:
Host
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist 10m
Host
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist 10m
In this configuration, SSH will keep the connection between the springboard machine and the target host in the background (up to 10 minutes). If the connection is reconnected within this time, SSH will directly reuse the existing connection, significantly reducing the connection establishment time.