Shared SSH gateway? (a.k.a. jump/bastion host)
Is there anything as simple as to define a SSH Gateway (also known as bastion host/jump host) which can then be used by different SSH host entries?
For RDP there is the RDP Gateway entry which can then be referenced in the VPN/SSH/Gateway section of a given host entry, but we don't seem to find an equivalent option for SSH. We have browsed the forum looking for a possible solution, apparently there is a mix of workarounds and terms, covering tunnels, SOCKS, port forwarding but none of those, to our understanding, covers the solution to this simple command line equivalent:ssh -J <jump_host_user>@<jump_host> <target_user>@<target_host>
where the <jump_host_user>@<jump_host> part is common for connecting to different target hosts.
Ideally, there should be a SSH Gateway entry in RDM defining the above jump host part, and then various SSH host entries whose VPN config points to the SSH Gateway.
As an additional info, the requirement is to give access to SSH consoles via a single jump host (ProxyJump as is called in OpenSSH), which should be defined once in the RDM tree,
Thanks.
All Comments (7)
Hello,
Thank you for reaching out to Devolutions Support.
I have a few questions which you can hopefully answer.
- Which version of RDM are you using?
- Which type of data source are you using?
That being said, would what you're looking in this case be an SSH Tunnel? We have the following knowledge base article regarding this:
https://kb.devolutions.net/rdm_setup_ssh_tunnel.html
Let me know,
Best regards,
Samuel Dery
Hello Samuel,
We are using the quasi-latest version (2022.3,29.0) with MS SQL data source. Not that it matters, the way I see it is that what we are interested in is a missing functionality of your product. Indeed, as I wrote in my original post, we browsed the forum before posting and we did already noticed the KB you have indicated (thank you for that).
However, I don't think it fits what we are after to. As already reported by other users, in other similar threads, the SSH tunnel entry doesn't solve at all the issue. The tunnel pretends you to specify the remote host address, and that would mean that if I need to create the SSH host entries for 20 hosts, I would need to create those 20 entries, and another 20 SSH tunnel entries. Apart from being an awful kludge, that's not how the -J option in the standard ssh command line client works:
-J destination
Connect to the target host by first making a ssh connection
to the jump host described by destination and then
establishing a TCP forwarding to the ultimate destination
from there. Multiple jump hops may be specified separated
by comma characters. This is a shortcut to specify a
ProxyJump configuration directive. Note that configuration
directives supplied on the command-line generally apply to
the destination host and not any specified jump hosts. Use
~/.ssh/config to specify configuration for jump hosts.
This is the same concept of the RDP Gateway, with different protocols. In fact, RDM has the RDP Gateway object: you define it once, you setup the credentials, and you then reference it anywhere it is needed (host, folder, ...). You don't have to create a specific RDP Gateway entry for each and every RDP host.
Thanks.
Hello,
Thank you for your detailed reply!
I see, our engineering department has informed me that we currently have an improvement request that would be what you're looking for in this case.
I've linked your topic to this case and will keep you updated with any news I receive.
I'm however afraid that for now, this would not be possible.
Best regards,
Samuel Dery
Thank you very much Samuel for the followup and for confirming our findings. We'll try to find a different solution until Devolutions will eventually come up with a proper implementation.
Hello,
Thank you for your detailed reply!
I see, our engineering department has informed me that we currently have an improvement request that would be what you're looking for in this case.
I've linked your topic to this case and will keep you updated with any news I receive.
I'm however afraid that for now, this would not be possible.
Best regards,
Was this functionality added in the end? It looks like there's the ability to specify SSH Tunnels and SSH Gateways, but I haven't figured out how to share them between different SSH sessions. Is there a blog/KB article that explains how to do this?
Thanks!
Asking the same question - I want the ability to specify an SSH connection to a jumphost which I can then use to reach target hosts. I have tried creating an SSH gateway, and in the SSH terminal 'gateway' settings for the target host I select that SSH gateway (Gateway mode - Linked, not sure if this is the correct setting). Credentials for both jump host and target host is by key - this is created in my Credentials folder.
When I double-click on the target host it almost looks like it is going to work, I am prompted for a username for the target host, and then prompted for username for jumphost, but then I am prompted for a password for the jumphost, on the embedded screen behind it shows an error "Unknown file type......<snip>.. Unable to use key". I tried using a different key file in the Credentials vault but had the same problem.
Hello,
Thank you for your reply
Would you be able to provide me with a screenshot of this error and perhaps a screenshot of your configuration? Blur or remove any sensitive information.
Let me know,
Best regards,
Samuel Dery