Connecting to a private LAN host over the internet via SSH.
Helpful ways to ssh via a bastion host.
If you’ve ever worked within Unix or Linux based networks you no doubt would have come across a need to access a server on a LAN or Private network via an intermediate host connected to the internet. Copying files is especially arduous.
There are a few different ways of achieving this. I want to share a couple that I regularly use.
Method 1: Direct SSH
source.host~$ ssh -A www.example.com
www.example.com~$ ssh target.lan
This is a simple two command connection, the first command connects you to the server at www.example.com
then the second command (run on the server listening at `www.example.com`) will connect you to the target.lan
host. The -A
flag specifys Agent forwarding which if you are using Public/Private key pairs you won't be prompted for server passwords.
Pros:
- No additional config
Cons:
- Two commands
- Can't SCP files directly
Method 2: Chained SSH
source.host~$ ssh -At www.example.com ssh target.lan
This will log you into the target.lan
server. Again, the -A
flag is used to specify Agent Forwarding. The -t
flag forces pseudo-tty allocation. Essentially this means that the connection doesn't close right away after running the second ssh command.
Pros:
- No additional config
- Single command
Cons:
- Can't SCP files directly
Method 3: ProxyCommand
This is by far my preferred method, however it has a few minor prerequisites. First up ensure that netcat
(nc) is installed on the intermediate host (www.example.com). If it's running a recent distro you'll more than likely have it already installed, if not check your repos. Secondly we need to create a ~/.ssh/config
entry. Lets do that now. Open ~/.ssh/config
in your editor of choice, you'll need to add a record like so:
Host target.lan
User thepearson
HostName target.lan
ProxyCommand ssh -l thepearson www.example.com nc %h %p 2> /dev/null
Save that file (replacing the example hosts and usernames with your own). The magical part here is the ProxyCommand
line. With ssh_config we can use ProxyCommand
to specify a command to connect to the server, all occurrences of %h
will be replaced with the target hostname host name and %p
with target port. When used in conjunction with netcat
the ProxyCommand
config parameter can be very powerful.
You should now be able to execute the following.
source.host~$ ssh target.lan
This should give you direct ssh access to the internal server. What's great about this method is that you can use other tools that utilise OpenSSH for connections, for example.
source.host~$ scp -r ./local_dir target.lan:~
Will recursively copy the local_dir
folder to the remote lan host. Cool huh?
Pros:
- Single command
- Directly SCP files
Cons:
- Additional config
- Requires
netcat
on intermediate server
Note: I put netcat
down as a con, but realistically most (if not all) GNU based boxes will have this installed.
So there you have it, some simple SSH commands that may make your life easier. Don't forget to check out the man pages for ssh_config
and nc
for more details.