JP Vossen on 28 Oct 2015 11:27:09 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] some bash help

++ for ~/.ssh/config as well.  I used that a lot at $WORK--, you can
Google for "SSH jumphost" and find lots of stuff including

There is a LOT you can do with ~/.ssh/config when you dig into the
details and it's well worth the time.  This works on Linux and Mac but I
have no idea if or how well it would work in PuTTY.

To address the scalability concern, I was doing this for 200+ hosts no
problem...with some tricks.  Works for AWS PVCs too, so I'm told.

----- cut excerpt here -----
# Global user config (nice for Ansible too)
Host *
    ServerAliveInterval = 100
    ForwardAgent yes
    # OpenSSH v4+
        ControlPath ~/.ssh/master-%r@%h:%p
        ControlMaster auto
        ControlPersist 120

# Awesome wild-card shortcut to expand host.sub
# Except do NOT (re-)expand the jumphost itself
host *.subdomain1 !jh*-*

# Define jumphost (add more stanzas for more JHs)
host jh01 mydatacenter1
    Port 2345
    User jp
    IdentityFile ~/.ssh/id_mydatacenter1
    Compression yes

# Define which hosts use which JH
Host * !jh*
    ProxyCommand ssh -A -p 2345 -W %h:%p
    ForwardAgent yes
    Compression yes
----- cut excerpt here -----

* Use `ssh -vvv` (I forget how many "v"s are needed) and it will show
you each config file line that is applied.  VERY helpful in debugging.
* My example my not work 100%, I had to obfuscate it quite a bit, so I
may have messed up the logic a bit.  In particular, the internal host
naming scheme was designed to facilitate this, but I had to obfuscate
that.  This it through for your environment and names.
* That said, my config worked but was pieced together over time from
various sources and I never had time to fully streamline it.  It may
have cruft.
** Like some of my example is redundant (like "compression").
** And it may not flow very well.
* There's another way of doing the ProxyCommand part that uses `nc`
(Netcat) that some people prefer.  I prefer doing it all in SSH because
`nc` can make auditor's heads explode (even though that's really BS) and
just because fewer moving parts is better.

Of course, this is IT so..."it depends" and everyone's environment is
different.  But it's well worth the time to figure it out if you work in
an environment where it applies.

Hopefully the above provides some useful clues.

On 10/28/2015 01:19 PM, Keith C. Perry wrote:
> This is very cool but I'm thinking of scale now.  Anymore more than a
> hand full of servers I that config file points a very important item to
> management.
> Question for you Carl... is there any reason why you are not running a
> VPN (e.g. OpenVPN) on server A?  Once you have that up, you can then SSH
> directly to server B or whatever else is on that LAN.  I know it's off
> topic but I'm curious as to why SSH is being using.
> Also, have you thought about doing an SSH VPN?
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> Keith C. Perry, MS E.E.
> Owner, DAO Technologies LLC
> (O) +1.215.525.4165 x2033
> (M) +1.215.432.5167
> <>
> ------------------------------------------------------------------------
> *From: *"chris" <>
> *To: *"Philadelphia Linux User's Group Discussion List"
> <>
> *Sent: *Wednesday, October 28, 2015 12:55:47 PM
> *Subject: *Re: [PLUG] some bash help
> Gavin,
> That is fantastic and I intend to steal this for use when ssh'ing into
> servers from home, since we have to route through a server to get to any
> others when not on the network.
> Very nice.
> On Wed, Oct 28, 2015 at 12:51 PM, Gavin W. Burris <
> <>> wrote:
>     Hi, Carl.
>     You can do an ssh proxy through an intermediate host.
>     Put something like this in your ~/.ssh/config file.
>     Host server-a
>            Hostname <>
>            User carl
>            Port 22
>            MACs <>
>            Ciphers arcfour,blowfish-cbc
>     Host server-b
>            ProxyCommand ssh -W %h:%p server-a
>            HostName
>     Then you can just:  ssh server-b
>     Cheers.
>     On Wed 10/28/15 12:46PM EDT, Carl Johnson wrote:
>     > I have a server that I need to use as a transparent jump box to
>     another
>     > network. What I'd like to do is have a "serveradmin" user be able
>     to SSH
>     > into "serverA" and automatically be SSH'ed into another server,
>     "serverB".
>     > If this second ssh session to serverB is killed (i.e. ctrl+c) or
>     dies for
>     > whatever reason I'd like the original ssh session to serverA to
>     collapse
>     > too.
>     >
>     > How can I do this? Is it even possible? Do I have to do some sort
>     of if
>     > while true magic in .bashrc or what? Maybe the first server has to
>     look for
>     > exit codes other than "0"?
>     >
>     > I've gotten the easy part done already. I can SSH in as
>     serveradmin but
>     > while at the login prompt of the second server if I ctrl+c I get
>     dumped
>     > back into a bash prompt on the first server. What I'd like to do
>     is prevent
>     > this recursion if possible.

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --