Articles related to real life scenarios involving java, frameworks and libraries configurations and salt-stack. The topics includes Core Java, Hibernate, Spring MySQL, Multithreading, Java NIO, jQuery, c3p0, Connection pooling, salt state, pillar, grain etc.

Monday, July 16, 2018

Setup SFTP tunnel through bastion/jump server with agent forwarding

11:22 PM Posted by Unknown No comments

Setup SFTP ssh tunnel through bastion/jump server with agent forwarding

Someone has said "With Security comes complexity". In some cases operational or otherwise, while configuring private network with bastion/jump server you require SFTP/SCP access to the private servers.
  • This is assuming you already have SSH configuration done for ssh jumping, if not follow the steps in (link)

Assumptions and Definition

We have 3 servers/machines here to work with.
  • LocalMachine: You Computer running macOS or Ubuntu/Linux
  • Bastion: Bastion/Jump Server having public access to port 22/SSH port.
  • PriNetServer: A server which is running in private network but is accessible through Bastion/JumpServer
  • You are able to connection to Bastion server through SSH and have root access or at least sudo access to restart ssh
  • Bastion server is able to connect to PriNetServer through SSH using SSH Agent Forwarding.
Here's the steps to enable SFTP ssh tunnel through bastion/jump server.

SSH Configuration on the Bastion server

SSH Daemon config changes

  • Edit /etc/ssh/sshd_config
  • Make sure to enable the following options.
AllowTcpForwarding yes PermitTunnel yes AllowAgentForwarding yes PermitOpen any
  • If you want to enable tunneling for a specific user you can do the following
Match User app AllowTcpForwarding yes ...
  • Restart ssh service ssh restart

User specific configuration for port forwarding/tunneling automation

  • We are going to use app user in this example.
  • Create or Edit app user ssh config file /home/app/.ssh/config
  • Add the following.
Host PriNetServer HostName #Private IP Address of PriNetServer User app Port 22 LocalForward 30022 # This forwards bastion port 30022 to 22 port of PriNetServer

LocalMachine Setup

Once all the setup done in Bastion server. You now should be able to create a tunnel thorugh bastion to access SFTP of the PriNetServer
  • In this example I am using scp for SFTP access, you can use any other program like filezilla.

Create Tunnel/Forward Port

ssh -A -L 30022:localhost:30022 app@<bastion_server_host_or_ip> -t ssh PriNetServer
In the above command -A is for enable AgentForwarding, -Lis used for port forwarding. In this it is asking SSH to create a tunnel from your LocaMachine's port 30022 to 30022 port of the Bastion server. You can use any unused port for tunneling.
The last part -t is the command to be executed once you have sshed into the bastion server. You can remove that and manually ssh PriNetServer once you are on bastion server.

Now that the tunnel is ready, I will upload a file to the PriNetServer and download the same file from there.

  • Run the following command to upload file.
scp -P 30022 /tmp/hello.test app@localhost:/tmp/
  • Run the following command to download a file.
scp -P 50022 app@localhost:/tmp/hello.test /tmp/hello.testdloaded

The process can be used for tunneling or any port forwarding. Like mysql port etc.


Post a Comment