So at work we have to use a bastion host for all our connections to servers to be able to get called PCI compliant. This kind of stuff could be a pain to use when you have to use another host to do RSYNC/SCP or other stuff that need direct transfer to workstation.
Thankfully OpenSSH is very flexible and have multiple options to easy the pain. If you add this to your ~/.ssh/config :
ProxyCommand ssh -qax bastion ‘nc -w 600 %h %p’
This will allow you to pass all SSH requests to the bastion server.
I have experimented with different options and this seems to be most efficient way. The ControlMaster ControlPath is to speed up the connections by not reopening a tcp socket all the time to the bastion server. This seems to cause problems with the OpenSSH version shipped with some distros (ie: Fedora) so you may want to remove it if you experience problems. For the ProxyCommand there is way to use cat like this :
ProxyCommand ssh bastion ‘exec 3<>/dev/tcp/%h/22;(cat <&3 & );cat >&3’
but the cat processes seems to hang in memory on the bastion server so netcat seems a better option.Â I heard that tcpconnect from the tcputils package should make things smoother but I haven’t tried that.
I have other options in my SSH configuration to allow to be less verbose see ssh_config(5) manpage for detailed description of each of these options :
By the way forgot to mention you would need to have SSH key exchange configured with the bastion server with a SSH agent runing (these days all distros should do that by default) to don’t have to type the password of your username on bastion server.
I have heard there is way to do that on Windows with putty and plink but I haven’t tried that see this post here about it.