If you find yourself using a Bastion or Jump Server very often, you quickly become familiar with man ssh_config.

One trick I've recently figured out is using sed with a ProxyCommand -- this lets me optionally use a bastion host by just appending .bast to a hostname. Most examples of using ProxyCommand apply it to all hosts, or a specific sub-domain, but this configuration allows you to late decide if you want to use the bastion or not.

Examples:

# uses bastion:
ssh myserver.example.com.bast

# goes directly to myserver:
ssh myserver.example.com

Place the following in your .ssh/config, with the appropriate changes for your environment:

Host bastion
    Hostname bastion-server.example.com
    ProxyCommand none
    User paul.examplesurname
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p

Host *.bast
    ProxyCommand ssh -aY bastion 'nc -w 900 `echo %h | sed s/\\.bast$//` %p'
    ForwardAgent yes
    TCPKeepAlive yes
    ServerAliveInterval 300

Any hostname that ends in .bast will now use the bastion as its proxy, but on the bastion it will resolve the DNS without the .bast in the hostname. Additionally because the bastion host has SSH Multiplexing configured, after the first connection to the bastion, all others are very quick to become established.




Share