I manage many different environments for my clients and most of them have a Bastion host which I must connect through in order to access sensitive services (ie. web servers, database servers, etc)
A traditional way for me to configure this access is to use the command ssh-add -K ~/path/to/my/identity/file then using the commandssh -A user@server.com
The problem is every time I reboot my mac, the agent is cleared and I have to look up and go through all of those steps again.
I’m LAZYYYYY I don’t want to keep doing this
So, I’ve outlined a few steps to remove the extra setup
Configuring the SSH config file The SSH configuration file acts as a master configuration for which your ssh client can connect to the downstream services.
It allows you to specify host aliases to prevent having to type the fully qualified hostname, the user to use when using certain aliases, and the identity file used to connect to the instance
First, navigate to your ~/.ssh folder
Next, open the config file using your preferred CLI editor (I use vim)
cd ~/.ssh sudo vim config Note: Using the sudo command will automatically prompt you for your machine password
Once open, enter your configuration as follows
First, we will set a global rule for all hosts
Host * AddKeysToAgent yes This step is only needed if ALL of your hosts use a bastion and you need to use the SSH agent to pass your identity file down the stream, if only some of your hosts need this, you can just add the AddKeysToAgent yes line to the hosts you want to run this for, or even specify a host prefix such as Host *.domain.com
Next, specify your individual host configuration lines with aliases
Host my_alias HostName my.fully.qualified.server.com User remote_user_name IdentityFile ~/path/to/my/identity/file The my_alias is what you will use to connect If you specify the User line this user will always be used. Otherwise, you can omit this and specify the user each time you connect Aliasing the SSH client Unfortunately, simply running this configuration will not automatically connect with the ssh-agent — you must still specify the -A flag to enable it
To work around this, we can add an alias for the ssh to automatically append that flag for us
Now, if you’re like me and don’t really want to remember another command, you can override the default ssh command, however, if you want to create a new name for it, it’s also an option
First, navigate to your home directory cd or cd ~
Next, create or modify the profile for your chosen command
I’m using bash, so it would be the .bash_profile file If you’re using zsh it’s .zprofile file cd ~ vim .bash_profile If for some reason you don’t have write permission to your own home folder (which you should), then simply use sudo vim .bash_profile instead
The existing file will be opened, or a new file will be created
Enter the following line into the editor
alias ssh='ssh -A' This basically tells shell that every time we use ssh we actually want ssh -A to be executed.
Loading the configuration Now, every time a new command window is opened, this alias will automatically be created.
If you do not want to close and reopen, or reboot your computer, you can just run the following command to immediately load your configuration into the current session
source .bash_profile Testing your setup From here, feel free to execute the ssh my_alias command to verify that you can log in and ssh into the next box and you should have everything good to go
Going one step further If you are like me and connecting to streams behind a basion host, it’s helpful to skip the additional ssh my.protected.host after calling the login to the bastion host. I like to do this all from my local machine
So.
We can accomplish this by modifying our ~/.ssh/config file to automatically pass down the aliases
First, I modify that ssh configuration using my preferred editor
sudo vim ~/.ssh/config This, again, opens up my configuration
Previously, we had the following:
Host * AddKeysToAgent yes Host my_alias HostName my.fully.qualified.server.com User remote_user_name IdentityFile ~/path/to/my/identity/file We will modify the existing configuration for my_alias to match BOTH my_alias and *.my_alias (eg. web1.my_alias )
Host * AddKeysToAgent yes Host my_alias *.my_alias HostName my.fully.qualified.server.com User remote_user_name IdentityFile ~/path/to/my/identity/file This will ensure anything with the suffix of .my_alias will also use the my_alias configuration while preserving my_alias to just connect to the basion host
Now, we will add a new alias configuration for the protected server
Host web1.my_alias RemoteCommand ssh web1.protected.local RequestTTY force There are simply two lines here
RemoteCommand is the command that is immediately executed on the machine upon first login — we execute ssh followed by either the ip address or the host name of the protected instance (in my case web1.protected.local) RequestTTY will ensure that we always get back a shell console for us to run future commands manually — If we were just executing a command and quitting, we could omit this Now we, again, save our configuration file and should be able to connect to our protected host by executing ssh web1.my_alias and get back the command console for the protected instance — when we run exit it will automatically log out of both instances
Conclusion In this article, we learned
How to create an alias for the ssh command to always enable the SSH Agent. How to use the ~/.ssh/config file to create aliases for our long domain names or IP addresses, add a user, and specify the identity file to use for the connection How to extend the ~/.ssh/config file to execute remote commands to automatically log into to a protected instance to simply future logins