フィードを購読する
Linux 

The concept of bastion hosts is nothing new to computing. Baston hosts are usually public-facing, hardened systems that serve as an entrypoint to systems behind a firewall or other restricted location, and they are especially popular with the rise of cloud computing.

The ssh command has an easy way to make use of bastion hosts to connect to a remote host with a single command. Instead of first SSHing to the bastion host and then using ssh on the bastion to connect to the remote host, ssh can create the initial and second connections itself by using ProxyJump.

ProxyJump

The ProxyJump, or the -J flag, was introduced in ssh version 7.3. To use it, specify the bastion host to connect through after the -J flag, plus the remote host:

$ ssh -J <bastion-host> <remote-host>

You can also set specific usernames and ports if they differ between the hosts:

$ ssh -J user@<bastion:port> <user@remote:port>

The ssh man (or manual) page (man ssh) notes that multiple, comma-separated hostnames can be specified to jump through a series of hosts:

$ ssh -J <bastion1>,<bastion2> <remote>

This feature is useful if there are multiple levels of separation between a bastion and the final remote host. For example, a public bastion host giving access to a "web tier" set of hosts, within which is a further protected "database tier" group might be accessed.

Hard-coding proxy hosts in ~/.ssh/config

The -J flag provides flexibiltiy for easily specifying proxy and remote hosts as needed, but if a specific bastion host is regularly used to connect to a specific remote host, the ProxyJump configuration can be set in ~/.ssh/config to automatically make the connection to the bastion en-route to the remote host:

### The Bastion Host
Host bastion-host-nickname
  HostName bastion-hostname

### The Remote Host
Host remote-host-nickname
  HostName remote-hostname
  ProxyJump bastion-host-nickname

Using the example configuration above, when an ssh connection is made like so:

$ ssh remote-host-nickname

The ssh command first creates a connection to the bastion host bastion-hostname (the host referenced, by nickname, in the remote host’s ProxyJump settings) before connecting to the remote host.

An alternative: Forwarding stdin and stdout

ProxyJump is the simplified way to use a feature that ssh has had for a long time: ProxyCommand. ProxyCommand works by forwarding standard in (stdin) and standard out (stdout) from the remote machine through the proxy or bastion hosts.

The ProxyCommand itself is a specific command used to connect to a remote server—in the case of the earlier example, that would be the manual ssh command used to first connect to the bastion:

$ ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host

The %h:%p arguments to the -W flag above specify to forward standard in and out to the remote host (%h) and the remote host’s port (%p).

ProxyCommand in ~/.ssh/config

As with ProxyJump, ProxyCommand can be set in the ~/.ssh/config file for hosts that always use this configuration:

Host remote-host
  ProxyCommand ssh bastion-host -W %h:%p

With this setting in ~/.ssh/config, any ssh connection to the remote host is accomplished by forwarding stdin and stdout through a secure connection from bastion-host.

The ssh command is a powerful tool. While it might mostly be used in its simplest form, ssh user@hostname, there are literally dozens of uses, with flags and configurations to make connections from one host to another. Check out ssh's manual page (man ssh) sometime to discover all of the different options available with this seemingly simple program.


執筆者紹介

Chris Collins is an SRE at Red Hat and a Community Moderator for Opensource.com. He is a container and container orchestration, DevOps, and automation evangelist, and will talk with anyone interested in those topics for far too long and with much enthusiasm.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

チャンネル別に見る

automation icon

自動化

テクノロジー、チームおよび環境に関する IT 自動化の最新情報

AI icon

AI (人工知能)

お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート

open hybrid cloud icon

オープン・ハイブリッドクラウド

ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。

security icon

セキュリティ

環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報

edge icon

エッジコンピューティング

エッジでの運用を単純化するプラットフォームのアップデート

Infrastructure icon

インフラストラクチャ

世界有数のエンタープライズ向け Linux プラットフォームの最新情報

application development icon

アプリケーション

アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細

Original series icon

オリジナル番組

エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー