Operations grimoire/Recommended SSH configuration
From Nasqueron Agora
Consolidated OpenSSH configuration
The introduction of ProxyJump has simplified the bastion configuration since OpenSSH version 7.5:
Host *.nasqueron.drake
ProxyJump windriver.nasqueron.org
Host 172.27.27.*
ProxyJump windriver.nasqueron.orgOlder version of OpenSSH can use instead: ProxyCommand "ssh -W %h:%p windriver.nasqueron.org"
Use bastion as proxy
To connect on a server where the port 22 isn't publicly accessible, use a development server as a bastion.
Do you do extensive work on the development server?
- YES -> a good workflow is to create a tmux panel for your remote server connection
- NO -> use the development server as proxy
All the following works:
# Connect first to the bastion. Then, to the destination server (useful as tmux pane)
$ ssh windriver.nasqueron.org
$ ssh docker-002
# Connect with ProxyJump option (OpenSSH 7.5+)
$ ssh -J windriver.nasqueron.org 172.27.27.5
# Connect with ProxyCommand option for older OpenSSH clients
$ ssh -o ProxyCommand="ssh -W %h:%p windriver.nasqueron.org" docker-002.nasqueron.drake
Note you can generally use short names, fully qualified names or IP. If a short name doesn't work, but the IP works, the /etc/hosts of the bastion needs to be updated.
