Use Linux Jumphost as Transparent Proxy

Jephe Wu - http://linuxtechres.blogspot.com

Environment: Office and data center, there's only one or two Linux jump hosts in data center, from office, you are only able to ssh into jump hosts, from jump hosts you can ssh into other servers.  your client Linux pc and jump hosts are running CentOS 6.4

Objective: make this ssh process one step only instead of two steps by configuring jump hosts as transparent ssh proxy.

Steps:
1.  add jump hosts into your /etc/hosts

[root@jephe .ssh]# grep jump /etc/hosts
172.16.50.1 jump01
172.16.50.2 jump02

2. putting the following into /etc/ssh/ssh_config in your client Linux pc

host jump01
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand none

host jump02
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand none

host *
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand ssh jephe@jump01 -W %h:%p
#proxycommand ssh jephe@jump01 nc %h %p

Note: 
a. put host jump01 and host jump02 before host *
b. if your ssh version is lower which doesn't support -W, you can use nc instead 
which commented above, take note that the syntax is different for -W and nc 
which is %h:%p vs %h %p

3. setting passwordless login from your linux pc to jump hosts

ssh-keygen -d 
ssh-copy-id -i /root/.ssh/id_dsa.pub jephe@jump01
ssh-copy-id -i /root/.ssh/id_dsa.pub jephe@jump02

Note: you can also use command below to make passwordless login:

cat /root/.ssh/id_dsa.pub | ssh jephe@jump01 'cat >> /home/jephe/.ssh/authorized_keys'

4. testing
Now, from your Linux client side pc, run 'ssh jephe@jump01' and 'ssh jephe@jump02', you should be able to ssh without password.

Also, from your client pc, run 'ssh user@allotherserver', it should prompt you password. 

After you ssh into other server directly, 'w' command will show it comes from jump host, not your Linux PC. It actually ssh into jumphost first in background, then from jumphost ssh into other server.

No comments:

Post a Comment