In this blog I want to share, how we used the jump host concept to :
- Connect to remove server via jump host using ssh alias,
- Secure copy files from local to remote and remote to local,
- Use it with mina for Ruby on Rails deployment and
- Tunnel to the remote host
We had recently updated the security rules of our AWS EC2 instances to allow access only from white listed IPs. This meant no more accessing the server from anywhere through any network, we now had to connect to the server from a known and secure network that is white listed under the security of the server. There was another way around where we could add our current public IP to the security rules to gain access, but this soon became a hassle as we switch to different networks and our public IP changes.
We then came across the concept of a jump host which will make things easier without compromising on the security. The idea was to establish a secure host (jump host) which would have a constant public IP, through which we could connect to the remote server.
Having a jump host in place, we had to first log on to our jump and then from there to our remote server. This two step process was still inconvenient, so we were looking for easier ways that did the above process in a single command. Our search led us to the
ProxyCommand ssh option through which we were able to connect to the remote server via the jump host in a single command and all the standard input and output traffic went through the jump host.
This is the ssh configuration that we use :
Now these ssh_config files essentially act as aliases to our ssh command line options. With reference to our above
~/.ssh/config file the command
$ ssh jump
is equivalent to the ssh command line option
$ ssh firstname.lastname@example.org -i /path_to/jump/pem_file
And our command for accessing the remote server
$ ssh remote-server
is effectively the same as below.
$ ssh email@example.com -i /path_to/remote/pem_file -A -o "ProxyCommand ssh jump -W %h:%p"
If we need to do a secure copy between our local machine and the remote server we can use the following
Remote to Local m/c:
$ scp remote-server:/path_to/some_file/on_remote /path_to/destination/on_local
Local to Remote m/c:
$ scp /path_to/some_file/on_local remote-server:/path_to/destination/on_remote
Using with mina
I am predominantly a Ruby on Rails developer and we use mina as our deploying tool. Lets see what changes we need do in mina deployment scripts.
Fortunately, mina provides a few options in its ssh_settings that allowed us to specify the
ProxyCommand, but these were not documented straightforwardly on mina . When we digged further in mina source code (
/mina-0.3.4/lib/mina/ssh_helpers.rb), we got to know about the
ssh_options in its ssh_settings:
The updated ssh options in the deploy config looks something like below :
This effectively allows mina to SSH to the remote server through the jump host and run its deployment.
It is also possible to tunnel to the remote host through the jump, where we maintain an open shell session on our jump host and forward traffic on the remote port to our local port.
$ ssh remote_server_tunnel
This would forward the traffic on the remote port 22 to our local port 2222.
The ssh configuration precedence is :
- Command Line Options
~/.ssh/config– per-user configuration file.
/etc/ssh/ssh_config– Systemwide configuration file.