Using ProxyCommand with OpenSSH and a Bastion server.

So at work we have to use a bastion host for all our connections to servers to be able to get called PCI compliant. This kind of stuff could be a pain to use when you have to use another host to do RSYNC/SCP or other stuff that need direct transfer to workstation.

Thankfully OpenSSH is very flexible and have multiple options to easy the pain. If you add this to your ~/.ssh/config :

Host bastion
ProxyCommand none
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p

Host *
ProxyCommand ssh -qax bastion ‘nc -w 600 %h %p’

This will allow you to pass all SSH requests to the bastion server.

I have experimented with different options and this seems to be most efficient way. The ControlMaster ControlPath is to speed up the connections by not reopening a tcp socket all the time to the bastion server. This seems to cause problems with the OpenSSH version shipped with some distros (ie: Fedora) so you may want to remove it if you experience problems. For the ProxyCommand there is way to use cat like this :

ProxyCommand ssh bastion ‘exec 3<>/dev/tcp/%h/22;(cat <&3 & );cat >&3′

but the cat processes seems to hang in memory on the bastion server so netcat seems a better option.  I heard that tcpconnect from the tcputils package should make things smoother but I haven’t tried that.

I have other options in my SSH configuration to allow to be less verbose see ssh_config(5) manpage for detailed description of each of these options :

Host *
ForwardAgent yes
GSSAPIAuthentication no
VerifyHostKeyDNS no
StrictHostKeyChecking no
HashKnownHosts no
TCPKeepAlive yes
ServerAliveInterval 600

By the way forgot to mention you would need to have SSH key exchange configured with the bastion server with a SSH agent runing (these days all distros should do that by default) to don’t have to type the password of your username on bastion server.

I have heard there is way to do that on Windows with putty and plink but I haven’t tried that see this post here about it.

Share on FacebookTweet about this on TwitterShare on Google+Print this pageEmail this to someone
  • Matt

    Awesome solution we have searched all over the net, tried iptables galore but this is, by far, the best and easiest to use.

    Now we the security of ssh keys on top of locking down the remote servers to one central location which gives us much greater security and control.

    Thanks for your post.

    Matt Ayers

  • Anonymous

    Glad you find it useful.. 

  • Josh

    No netcat on bastion means no go :-(