Default settings upon initial setup
When a Jump Proxy account is set up, it defaults to requiring a password until a person's personal public key has been properly provided to it. In this default mode, the correct syntax to ssh to a destination server is as follows:
ssh -J <username>@sshprx.dom.wisc.edu <username>@destinationserver.dom.wisc.edu
Example: ssh -J buckybadger@sshprx.dom.wisc.edu buckybadger@bigten.dom.wisc.edu
This works, but requires 2 separate password logins. Once to login to the proxy, and once again to login to the destination server and this can become a hassle if you use ssh often.
There are a couple of things you can configure on your workstation to completely automate this.
- Create a private/public encrypted key pair and upload the public key to the jump proxy. This eliminates the need to use a password at the jump proxy login stage.
- Configure your ssh client to automatically utilize the jump proxy without you having to specify it in the command line.
The following describes the process for setting up each of these
Using encrypted keys instead of a password with the jump proxy
You need to generate 2 keys. A private and public key. The private key is essentially like a password and must be treated as such. Do not share it with anyone, or place it in a location that can be accessed by others. The public key is exactly as it's named. It is public and can be shared and is the key that will be placed on the jump proxy. The process to do so is as follows:
From the local workstation you intend to initiate the ssh connection on type the following commands:
ssh-keygen
You will be presented with 3 questions. Go with the defaults for all 3 by hitting enter at each prompt.
This will generate both the public and private keys you need and will also place them in the correct location which is the .ssh folder under your home folder. The private key is named: id_rsa and the public key is named: id_rsa.pub.
The next step is to copy your public key to the jump proxy server. The following shows the syntax and an example:
ssh-copy-id <username>@sshprx.dom.wisc.edu
Example: ssh-copy-id buckybadger@sshprx.dom.wisc.edu
You will be presented with a prompt to login to the Jump Proxy server with your password. If you enter it correctly it will then automatically place your public key in the appropriate location on the server and you'll be all set. You can test that it works by trying to connect to your destination server with the same command as before such as:
ssh -J buckybadger@sshprx.dom.wisc.edu buckybadger@bigten.dom.wisc.edu
You'll know if the key is working properly if you only have to login once on the destination server without having to login to the jump proxy.
Automating your ssh client to transparently utilize the jump proxy without you having to specify it
Now that you have eliminated the need to manually type a password to get through the jump proxy you can automate your ssh client so you don't even have to specify the jump proxy. This would change the command you use to connect to your destination server from:
ssh -J buckybadger@sshprx.dom.wisc.edu buckybadger@bigten.dom.wisc.edu
to the much more efficient:
ssh buckybadger@bigten
The process involves creating a file named "config" in your .ssh folder where you specify the jump proxy and if a destination server should utilize the jump proxy. The following example shows what the contents should look like if your destination server is bigten.dom.wisc.edu
The filename should be: ~/.ssh/config
Host sshprx
HostName sshprx.dom.wisc.edu
Host bigten
HostName bigten.dom.wisc.edu
ProxyJump sshprx
If you are creating the config file for the first time you must run the following for it to work correctly
chmod 600 config
You can add as many hosts as you like.
Once complete, you can simply run: ssh bigten and your ssh client will automatically and transparently route your through the jump proxy, login with your encryption key, and then take you to the destination server login prompt.