mina-sshd icon indicating copy to clipboard operation
mina-sshd copied to clipboard

Published 20 hours ago verified publisher icon apache

Support for more than one jump host

Open nightman68 opened this issue 2 years ago • 8 comments

Description

I have a special server running to which the connection is only possible via 2 jump hosts and my configuration for SSH looks like this:

Host jump1
  Hostname                    jump1.corp
  Port                        22
  User                        nightman
  LogLevel                    QUIET

Host jump2
  HostName                    jump2.dmz.corp
  Port                        22
  User                        nightman
  ProxyJump                   jump1
  LogLevel                    QUIET

Host host*.dmz.corp
  ProxyJump                   nightman@jump2:22

This is working well with the native SSH clients.

It would be nice when your great libary would support such a configuration as well!

:-)

Motivation

Enhancements would make the library better usable for jump hosts.

Alternatives considered

There is no workaround I found so far.

Additional context

No response

nightman68 avatar Feb 06 '23 15:02 nightman68

Looks like a shortcoming/bug in SshClient.java, connect() and doConnect(): it appears to parse only the ProxyJump in the top-level Host entry.

As a work-around, try

Host host*.dmz.corp
  ProxyJump nightman@jump2:22,nightman@jump1:22

That should work (if I read the code right), and also should work with openSSH.

tomaswolf avatar Feb 07 '23 19:02 tomaswolf

@tomaswolf thanks for the quick response! I tested the workaround and it's working with one edit: the order of the proxy must be changed:

Host host*.dmz.corp
  ProxyJump nightman@jump1:22,nightman@jump2:22

The other settings like in the original post.

For the native SSH client the order must be like proposed by you :-( Tested with openSSH 1.0.2 k on RH 7 and 1.1.1 i in a git bash.

nightman68 avatar Feb 08 '23 09:02 nightman68

For the native SSH client the order must be like proposed by you :-(

So there's even a bug in that implementation in Apache MINA sshd. Really :-(.

tomaswolf avatar Feb 09 '23 17:02 tomaswolf

If it will help I can run tests with a fixed pre package.

nightman68 avatar Feb 09 '23 18:02 nightman68

Thanks for the offer. I won't have any time for any coding in the next few weeks, but perhaps someone else takes this on. Otherwise I'll take look sometime in March.

tomaswolf avatar Feb 09 '23 18:02 tomaswolf

Any update?

nightman68 avatar Jun 26 '23 07:06 nightman68

Nope; I didn't get around to this yet. But it's up for grabs; we do welcome PRs.

tomaswolf avatar Jun 29 '23 06:06 tomaswolf

A PR #477 is available to fix this issue. I tested it with the 2 configurations below.

configuration 1:

Host host*.dmz.corp
  ProxyJump     [email protected]:22,[email protected]:22,[email protected]:22

configuration 2:

Host jump1
  Hostname                    jump1.corp
  Port                        22
  User                        nightman
  ProxyJump                   jump2
  LogLevel                    QUIET

Host jump2
  HostName                    jump2.dmz.corp
  Port                        22
  User                        nightman
  ProxyJump                   jump3
  LogLevel                    QUIET

Host jump3
  HostName                    jump3.dmz.corp
  Port                        22
  User                        nightman
  LogLevel                    QUIET

Host host*.dmz.corp
  ProxyJump                   jump1

nightman68 avatar Mar 18 '24 17:03 nightman68