One trick I've recently figured out is using
sed with a
ProxyCommand -- this lets me optionally use a bastion host by just appending
.bast to a hostname. Most examples of using
ProxyCommand apply it to all hosts, or a specific sub-domain, but this configuration allows you to late decide if you want to use the bastion or not.
# uses bastion: ssh myserver.example.com.bast # goes directly to myserver: ssh myserver.example.com
Place the following in your
.ssh/config, with the appropriate changes for your environment:
Host bastion Hostname bastion-server.example.com ProxyCommand none User paul.examplesurname ControlMaster auto ControlPath ~/.ssh/master-%r@%h:%p Host *.bast ProxyCommand ssh -aY bastion 'nc -w 900 `echo %h | sed s/\\.bast$//` %p' ForwardAgent yes TCPKeepAlive yes ServerAliveInterval 300
Any hostname that ends in
.bast will now use the bastion as its proxy, but on the bastion it will resolve the DNS without the
.bast in the hostname. Additionally because the bastion host has SSH Multiplexing configured, after the first connection to the bastion, all others are very quick to become established.