SSH into Private Server using Jump Server
June 26, 2021
In this article I will explain how you can gain SSH access to servers running in private subnets.
As illustrated in the image above, the destination host are the private servers which does not have Public IP address attached to them. Since there is no Public IP address attached to servers we cannot SSH into them.
Basically we will need a jump server a.k.a bastion host to access the private servers which will act as a medium so that private subnets can be accessed. The bastion host will be placed in a public subnet having a public IP assigned.
One can think of keeping the private keys of the private servers in bastion host and SSH into them from that host itself. But the problem in this approach is that if some attacker gained access to your bastion host then it will be very easy for them to access you private instances.
To tackle the above problem the concept of SSH-Forwarding comes into the picture. Basically you will tunnel your connection through bastion host without maintaining/storing private keys in it.
The linux system comes with a utility called as ssh-add, using this utility SSH-Forwarding can be achieved.
Let’s say you have to private keys, one for accessing bastion host and another to access private servers. Use below command to add those keys in you ssh session.
$ ssh-add -k <bastion-host-key>
$ ssh-add -k <private-server-key>Confirm if your keys has been added into ssh session using below command. Your host/servers keys will be printed.
$ ssh-add -lNow first gain access to bastion host via ssh using below command.
$ ssh -A <bastion-host-user>@<bastion-host-ip>Once you are logged-in to the bastion host, run below command to access your private servers.
$ ssh <private-server-user>@<private-ip-of-server>The above command will log you in to private servers.
Wondering how it worked without private keys ?
Well the ssh-add utility maintain the keys in ssh session and you accessed the bastion host with -A flag. Which basically cycles through the keys stored using ssh-add command.
So this is everything in this article… Cheers 😃
