乐闻世界logo
搜索文章和话题

What are SSH tunnels and jump hosts? How to configure multi-level jump connections?

3月6日 21:31

SSH tunneling is a technique that creates encrypted channels through the SSH protocol, allowing secure data transmission over insecure networks. Jump Host is an important application scenario for SSH tunnels.

SSH Tunneling Principles

SSH tunnels utilize the encryption capabilities of the SSH protocol to establish an encrypted channel between client and server, with all data transmitted through the channel being encrypted.

Workflow

  1. Client establishes encrypted connection with SSH server
  2. Forwards traffic from specific ports over the encrypted channel
  3. Data remains encrypted throughout transmission
  4. Decrypted and forwarded to actual destination upon arrival

Jump Host Configuration

1. ProxyJump (Recommended Method)

SSH 7.3+ supports the ProxyJump option, the simplest way to configure jump hosts.

bash
# Command line
ssh -J jump-user@jump-host:22 target-user@target-host

# Configuration file (~/.ssh/config)
Host jump-host
    HostName jump.example.com
    User jump-user

Host target-host
    HostName target.example.com
    User target-user
    ProxyJump jump-host

2. ProxyCommand (Traditional Method)

For older SSH versions.

bash
# Command line
ssh -o ProxyCommand="ssh -W %h:%p jump-user@jump-host" target-user@target-host

# Configuration file
Host target-host
    HostName target.example.com
    User target-user
    ProxyCommand ssh -W %h:%p jump-user@jump-host

3. Multi-level Jump Hosts

bash
# Two-level jump
ssh -J jump1@host1,jump2@host2 target@final-host

# Configuration file
Host jump1
    HostName host1.example.com
    User jump1

Host jump2
    HostName host2.example.com
    User jump2
    ProxyJump jump1

Host final
    HostName final.example.com
    User target
    ProxyJump jump2

Practical Application Scenarios

Scenario 1: Access Internal Network Servers

bash
# Access internal servers through public jump host
ssh -J bastion@bastion.example.com admin@internal-server

Scenario 2: Secure File Transfer

bash
# Transfer files through jump host
scp -o ProxyJump="bastion@bastion.example.com" local-file admin@internal-server:/path/

# Or use rsync
rsync -avz -e "ssh -J bastion@bastion.example.com" local-file admin@internal-server:/path/

Scenario 3: Database Access

bash
# Access internal database through jump host
ssh -L 3306:db-server:3306 -J bastion@bastion.example.com user@bastion.example.com -N

Advanced Configuration

1. Combine Port Forwarding and Jump Host

bash
# Create local port forwarding through jump host
ssh -L 8080:internal-web:80 -J bastion@bastion.example.com user@bastion.example.com -N

2. Simplify with SSH Configuration File

bash
# ~/.ssh/config
Host bastion
    HostName bastion.example.com
    User bastion
    IdentityFile ~/.ssh/bastion_key

Host internal-web
    HostName 192.168.1.100
    User webadmin
    ProxyJump bastion
    IdentityFile ~/.ssh/internal_key

Host internal-db
    HostName 192.168.1.200
    User dbadmin
    ProxyJump bastion
    IdentityFile ~/.ssh/internal_key

3. Key Forwarding

bash
# Enable key forwarding to use local keys on jump host
ssh -A -J bastion@bastion.example.com target@internal-server

# Or set in configuration file
Host bastion
    ForwardAgent yes

Security Best Practices

1. Jump Host Security Hardening

bash
# /etc/ssh/sshd_config
# Disable password authentication
PasswordAuthentication no
# Restrict login users
AllowUsers bastion
# Enable forced command
ForceCommand /usr/local/bin/bastion-wrapper.sh

2. Use Bastion Host

  • Deploy dedicated bastion software (Teleport, Bastillion)
  • Implement session recording and auditing
  • Integrate multi-factor authentication
  • Implement access control policies

3. Network Segmentation

  • Place jump host in DMZ
  • Internal servers only allow access from jump host
  • Use firewall rules to restrict traffic

4. Key Management

  • Use different keys for jump host and target servers
  • Rotate keys regularly
  • Use passphrase to protect private keys
  • Limit key usage scope

Troubleshooting

bash
# Verbose debugging information
ssh -vvv -J jump@jump-host target@target-host

# Test jump host connection
ssh jump@jump-host

# Check routing
traceroute target-host

# View firewall rules
iptables -L -n

Performance Optimization

1. Connection Multiplexing

bash
# Enable connection multiplexing in configuration file
Host *
    ControlMaster auto
    ControlPath ~/.ssh/cm-%r@%h:%p
    ControlPersist 600

2. Compression

bash
# Enable compression
ssh -C -J jump@jump-host target@target-host

3. Choose Encryption Algorithm

bash
# Use faster encryption algorithm
ssh -c aes128-ctr -J jump@jump-host target@target-host

Monitoring and Auditing

1. Logging

bash
# Log all SSH connections
LogLevel VERBOSE
SyslogFacility AUTHPRIV

2. Session Recording

Use dedicated bastion software for session recording and playback.

3. Access Auditing

Regularly review SSH access logs and monitor for suspicious activity.

标签:SSH
热门标签
更多
Git(114)C语言(23)C++(15)React(34)前端(148)Cypress(30)JavaScript(56)Linux(20)Docker(65)Rust(10)TypeScript(27)Mongoose(18)MySQL(8)Vue(13)Tailwind CSS(29)CSS(19)ElasticSearch(24)网络(12)TypeORM(31)