I’m running a number of servers at home and of course I want to access them over the Internet. As per good practice I have one gateway to which I can connect to with SSH from my Linux notebook. Once logged in I can then SSH to other machines in my network. This has worked well for me over many years but has three disadvantages: Despite using certificates, the process of first logging into the gateway and then logging into another machine is a bit more of an effort than it should be. Secondly, I can’t use SFTP via the file manager to exchange files with my machines at home this way. And finally this setup is not ideal from a security point of view because the internal machines have to trust the SSH key from the gateway machine. If the gateway is ever compromised, all machines inside are compromised as well. Recently, I found a cool way of how to fix all three things: Multihop-SSH!
What I didn’t know so far was that SSH has built-in multihop functionality and automation. By creating a configuration file in the .ssh directory it’s possible to daisy-chain SSH logins. Here’s an example:
#File '~/.ssh/config': Host ext-secret HostName www.mydomain.com Port 19331 User xy Host int-machine1 ProxyCommand ssh -q ext-secret nc -q0 192.168.99.44 22 User martin Host int-machine2 ProxyCommand ssh -q ext-secret nc -q0 192.168.99.45 22 User martin
This configuration does the following: When typing in ‘ssh int-machine2’ ssh reads the configuration file and notices that int-machine2 can’t be reached directly but only via ‘ext-secret’ and via non-standard port 19331. Therefore, ssh first establishes an ssh connection to ‘ext-secret’ by resolving its domain name (www.mydomain.com). Once logged in it starts ‘netcat’ on ‘ext-secret’ and creates a transparent tunnel from my PC over the ssh connection to the gateway and from there via ‘netcat’ to int-machine2. Once the tunnel is in place, SSH logs into that machine through the tunnel.
In practice this fixes all three shortcomings above without installing additional packages:
- A single command to get to the internal host
- ‘int-machine1/2’ don’t have to trust ‘ext-secret’ as the SSH keys of the PC and not those of the gateway are used.
- SFTP is based on SSH and hence the config file is also used for SFTP directories mounted in the file manager.