Using SSH keys for host access
Using SSH private/public keys is one of the better ways to limit and secure access to your hosts, by configuring a set of known (public) keys to allow authentication through keys instead of less secure password-based authentication.
In addition, and this is the case for our setup at Pivot Freight, you would further your private hosts by disabling public network access and only allowing SSH traffic through a publicly available, hardened, host known as a bastion or jump host. The downside is that accessing those hosts from your local host can become tedious and repetitive.
But thankfully there is a better way: the SSH config file.
Access without the SSH config file
Without a SSH config file this is how you would access the jump host from your command line (all examples are for OS X):
ssh -p 1234 firstname.lastname@example.org
Where 22.214.171.124 is the jump host public IP address and 1234 is the port your SSH daemon has been configured to run on, if not the default of 22.
Now that’s not too bad but gets repetitive. Now, assume you need to access to a host that is only accessible through the jump host, you will then do:
ssh -p 1234 email@example.com nc 10.11.22.33 1234
Where 10.11.22.33 is the target host private IP address, again assuming the 1234 is the port your SSH daemon is has been configured to run on (both jump host and target host) and that the same username’s public key is deployed on the target host as well.
Now this will get very repetitive very quickly, especially as the number of hosts increase even if you wanted to maintain scripts for each target host. But thankfully there is a better way: the SSH config file.
Using the SSH config file to simplify access
You can use the SSH config file to store host-specific SSH configuration properties, including ports and jump hosts.
Assuming you would want to configure access for the example hosts above you would create a ~/.ssh/config file with the following content:
Host jump-host HostName 126.96.36.199 Port 1234 User username Host target-host HostName 10.11.22.33 Port 1234 User username ProxyCommand ssh -p 1234 firstname.lastname@example.org nc %h 1234
Now you can do the following to SSH into the jump host:
But even better if you want to SSH into the target host now you simply need to type:
What’s also pretty neat about this approach is that it works with SCP as well, so if you wanted to SCP from a target host to your local host you would only need to type:
scp target-host:/home/username/readme.txt .
And it will simply work, no need to remember to use -P instead of -p with SCP :).