$ date

Thu Dec 24 16:47:33 UTC 2015


SSH: Dynamic Jump Host Configuration and higher Security.

Hello again.

This post is about SSH. Something we probably all love.

There are situations where using SSH is quite... difficult, though.

Take for example being outside your home network and wanting to SSH to your desktop/NAS.

The most common but ugly way.

[email protected]$ ssh [email protected]
[email protected] Password: ****
[email protected]$ ssh [email protected]
[email protected] Password: ****
[email protected]$ # Tada!

That is not a nice way.

Even with SSH Keys, you only skip typing your password at the router step, because you can't take them with you.

The less common but still ugly way.

[email protected]$ ssh [email protected] ssh desktop
[email protected] Password: ****
[email protected] Password: ****
[email protected]$ # Tada!

While this is certainly an improvement, you can't take your SSH Keys with you, for example.

SSH Keys will last for router, if you have them set up.

The least common way of the three, only a little ugly.

[email protected]$ ssh root%router+desktop
[email protected] Password: ****
[email protected] Password: ****
[email protected]$ # Tada!

Now that is a way I like.

While not 100% pretty in regards to the user names for the jump host, it is a massive improvement.

Best part: You take your SSH Keys with you for the auth.

No need to type out passwords at all! :)

The magic behind this:

This is a subset of my SSH Config (~/.ssh/config):

# Keep the sessions alive in the background for faster reconnection and quicker autocompletion of scp, for example.
ControlMaster auto
ControlPath /tmp/ssh-%[email protected]%h:%p
ControlPersist 600

# Dynamic Jump Hosts.
# Uses ProxyCommand, sed, ssh and netcat to tunnel through all the things.
Host *+*
  ProxyCommand ssh -C $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') exec nc -w1 $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /')

# Set default configs, like accepted Ciphers and the default user.
# The Ciphers and stuff make SSH prefer safer/stronger ciphers. OpenSSH 6.7+ only, I think.
Host *
  User vifino
  Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
  KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
  MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected],hmac-sha1

The jump host part is a modified version of already available versions, slightly fixed.

I will probably poke the original authors to put my version there, since it uses less memory and such.

While I certainly don't recommend just pasting everything from the web into any config file what so ever, I use this config, and it works fine for me.

With a litle bit of tweaking, you should be able to accomodate it to your needs.


That's it, I guess...

I'm out.

Merry Christmas, dear reader.

$ cd ..