Operations grimoire/Recommended SSH configuration

From Nasqueron Agora

Consolidated OpenSSH configuration

The introduction of ProxyJump has simplified the bastion configuration since OpenSSH version 7.5:

Host *.nasqueron.drake
    ProxyJump windriver.nasqueron.org

Host 172.27.27.* 
    ProxyJump windriver.nasqueron.org

Older version of OpenSSH can use instead: ProxyCommand "ssh -W %h:%p windriver.nasqueron.org"

Use bastion as proxy

To connect on a server where the port 22 isn't publicly accessible, use a development server as a bastion.

Do you do extensive work on the development server?

  • YES -> a good workflow is to create a tmux panel for your remote server connection
  • NO -> use the development server as proxy

All the following works:

# Connect first to the bastion. Then, to the destination server (useful as tmux pane)
$ ssh windriver.nasqueron.org
$ ssh docker-002

# Connect with ProxyJump option (OpenSSH 7.5+)
$ ssh -J windriver.nasqueron.org 172.27.27.5

# Connect with ProxyCommand option for older OpenSSH clients
$ ssh -o ProxyCommand="ssh -W %h:%p windriver.nasqueron.org" docker-002.nasqueron.drake

Note you can generally use short names, fully qualified names or IP. If a short name doesn't work, but the IP works, the /etc/hosts of the bastion needs to be updated.