⚠️ This guide does NOT use individual SSH keys, which is recommended for security purposes. This guide also does not show the usage of password-protected keys, you should use password-protection.
-
Bastion server: Sometimes called a "jump server", this server is reachable by your laptop. Sometimes the bastion server is protected by a VPN, sometimes not but should always have a firewall. This is essentially your front door. Always lock your doors.
-
SSH Agent: This is a program that runs on your laptop and keeps your SSH private keys loaded in memory.
eval $(ssh-agent)
- SSH Keys: These consist of 2 parts
-
Private key: This is the file with many lines of text, looks like a rectangle. This file should be protected and never exposed to the world. If this is ever comprimised, you should create new keys and dispose of the old one.
- Example
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAd zc2gtcn NhAAAAAwEAAQAAAgEAuh1zq5Vml7Npe4xQQX +JQXpFV0Trd1IKgAyXzeWrLuuqelfryPt1 bMcRN/VWuCoPxtGB0AKkY7PFCITaEBc+y+Gog71Urpz+QLodmOqRIs/ 8yFpvh2tBsUj1jz aDTD1NEnE/xvYWl9R1vHZRmenTQ+4kQ31f5ZO+A8O1Feh0qubSfxcUR319EZO/ 6k3JbizC Ny1Q59BYXJVyW6YEj3MAUrlQeZS+AVujPtUP1iWPvFXzDZxBiov6qDWv/ 04t4Iqmdd9FMn Ubd88J+NAuUHsa4H67Nzhx/rvyeKWD7HvLpIMLCq+VOZnrvtHcqv950 +Cpwt3pTpYsrspR kxgELf8LbXMvTN3+jwN8/qSncKsyWGZ6MA +Q5zKNXGdXzNeLvGj4QPmO5Hh8Gs3B0elFhx H88HoITPyTjPrblkMq76ldoosIDRUfT8GTGVbZq/ofZZSiOGs5R6QeR6eP +OAePMVe+jhu oIDmwm6lcidcbceYCC1MyIA4jdD6oGVrwpZZMygXlZJGadRldH2Cz9Wwchq1sKF BlYAeLJ c7FiDCs7U3AGRbCq7Wdchk+QKiTxepuJJcvUKhkY1wFuQd9UfIqvhSs +BLU4sXrbd7yvxO -----END OPENSSH PRIVATE KEY-----
- Example
-
Public key: This file will be called something like
my_key_name.pem.pub
. The contents are 1 long line, starting withssh-rsa
. This is not sensitive data, hence the name "public". You can freely share this data without comprimising security. This file should be copied to the bastion and private server(s) and appended to/home/the-user-you-ssh-in-as/.ssh/authorized_keys
- Example
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6HXOrlWaXs2l7jFBBf4lBekVXROt3UgqADJfN5asu66p6V+vI+3VsxxE39Va4Kg/G0YHQAqRjs8UIhNoQFz7L4aiDvVSunP5Auh2Y6pEiz/zIWm+Ha0GxSPWPNoNMPU0ScT/G9haX1HW8dlGZ6dND7iRDfV/lk74Dw7UV6H me@my-laptop
Notice the
me@my-laptop
portion, this value can be modified at-will and is used to clearly identify the key.
-
- SSH Config: this file exists on your laptop, typically located
~/.ssh/config
- Example
Host bastion-server Hostname 123.456.789.000 Host private-server Hostname 192.168.0.1 ProxyJump bastion-server
In order for your laptop to access the private-server
you need to perform the following steps.
- Generate SSH keys
-
ssh-keygen -t rsa -b 4096 -C "me@my-laptop" -f ~/.ssh/bastion-example.pem
This will create a new SSH key, with the name set to
me@my-laptop
. The private key will be~/.ssh/bastion-example.pem
, the public key~/.ssh/bastion-example.pem.pub
-
Assuming you are using EC2, ensure that AWS has your public key, using that key when you provision the bastion server and the private server.
You should use different keys for the bastion and private servers for these but in this example I am not.
-
On your laptop, add the following to your
~/.ssh/config
Host bastion-server Hostname 123.456.789.000 # AWS EC2 EIP or Public IP IdentityFile ~/.ssh/bastion-example.pem User ubuntu Host private-server Hostname 192.168.0.1 # AWS Private IP ProxyJump bastion-server # Bastion name defined in this file, or IP/FQDN IdentityFile ~/.ssh/bastion-example.pem User ubuntu
This defines your bastion and your private server, notice that the private server uses the bastion server's name for
ProxyJump
-
Load the SSH keys into memory on your laptop
eval $(ssh-agent) # This only needs to be ran once per shell(tab in terminal). You can add this to your ~/.bashrc or ~/.bash_profile if you want. I do.
ssh-add -k ~/.ssh/bastion-example.pem
This should load the private key created in step 1(or used from existing keys) into memory. You can confirm this with the
ssh-add -l
command.root@18c2414b12b2:/# eval $(ssh-agent) Agent pid 4076 root@18c2414b12b2:/# ssh-add -k ~/.ssh/bastion-example.pem Identity added: /root/.ssh/bastion-example.pem (/root/.ssh/ bastion-example.pem) root@18c2414b12b2:/# ssh-add -l 4096 SHA256:J4pJTKFZ4CJYg8ahbs6BTA6WrmSTyS5UukXKbvGm7ek /root/. ssh/bastion-example.pem (RSA) root@18c2414b12b2:/#
-
Attempt to SSH to the bastion from your laptop
ssh bastion-server
Note that I am using the name we defined in
~/.ssh/config
You should be logged into your bastion if everything is working correctly.
# Logout of bastion exit
-
Attempt to login to your private server from your laptop
ssh private-server
Note firstly that I run this from my laptop, NOT FROM THE BASTION, secondly note that I use the name defined in
~/.ssh/config
If everything worked, you are now logged into your private server
If the above steps are followed and functioning, you will now be able to access your private server(s) via your bastion. Your private servers do not need EIPs or Public IPs. Keep in mind that your SSH, SCP and Ansible tasks will go through your bastion, which may make communications slower.
me@my-laptop -> bastion-server -> private-server