Postico icon indicating copy to clipboard operation
Postico copied to clipboard

Published 20 hours ago verified publisher icon jakob

Allow multi-hop SSH (like ProxyCommand)

Open jakob opened this issue 7 years ago • 8 comments

I've received feedback from a handful of people that have complex setups, where they need to tunnel through multiple hosts to reach the database server. A typical setup might look like this:

[ Postico ] -- SSH -- [ Jump Host ] -- SSH -- [ Target Host ]

(The database runs on target host, but a firewall blocks direct SSH access, so we would need to tunnel the SSH connection through a jump host first)

This can be accomplished with OpenSSH using the ProxyCommand option. In a previous issue (#432) I've talked about how supporting ProxyCommand in general is not feasible, but the specific case of using multiple SSH tunnels might be feasible.

There are probably a number of ways to accomplish multi-hop SSH. I have a few questions for those of you who use such a setup:

  1. Do you have access to all the keys/passwords required for the involved SSH servers, or do you need keys from the jump host to connect to the target host?

  2. What does your setup look like? How many SSH connections do you need, and how many hosts are involved in total?

  3. What's the exact ProxyCommand that you are using (for multi-hop SSH)?

jakob avatar May 05 '18 05:05 jakob

  1. Yes all keys, are available.
  2. A bastion server accessing a vpc, where the bastion does not have access to the db, requiring a hop to another node.
  3. ProxyCommand ssh -q -W %h:%p bastion

rposborne avatar Aug 09 '18 15:08 rposborne

I think I'm in a similar position as @rposborne. It'd be great to be able to tunnel through the config. My config looks something like this:

Host target-*
    ProxyCommand ssh -W %h:%p bastion.analytics
    LocalForward xxx db.companyname-yyy.com:xxx

where xxx=the port used

Any update on this issue would be great to @jakob ! Thanks!

mrkcohen avatar Jan 16 '19 19:01 mrkcohen

Any thoughts here @jakob ?

mrkcohen avatar Feb 06 '19 19:02 mrkcohen

I'd also like to answer the questions:

  1. Experienced both scenarios.
  2. One hop to the target.

fsonntag avatar Feb 08 '19 16:02 fsonntag

  1. My key is not present at the jumpserver, only at the target machine.
  2. Just one hop, my machine - jumpserver - target machine
  3. ProxyCommand ssh -q -W %h:%p jumpserver

I have these hosts stored in my ~/.ssh/config.

elahmo avatar Apr 25 '20 23:04 elahmo

  1. Yes. On my machine.

  2. I jump to a bastion box that is located inside the same subnet as my application containers. From the bastion I jump to the DB. The bastion box is not exposed to the outside, but uses the AWS session manager. I enjoy this secure setup, because there is no ssh port that I need to expose on the bastion, it all runs through the aws cli.

See for details

Host i-* mi-*
ProxyCommand sh -c "PATH=$PATH:/usr/local/bin /usr/local/bin/aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

georgevanvliet avatar Jul 29 '20 21:07 georgevanvliet

I as well would like to be able to connect with AWS SSM to my database. SSM accepts an instance id as a hostname and works on the command line, but can't resolve the hostname in Postico 2. Docs: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

This is a much better way to access your DB because you can control access via IAM

revmischa avatar Oct 04 '22 16:10 revmischa