ProxyJump

... from the black magic voodoo ssh box of the tech priests ...

[Scroll down for the TL;DR section]

I'm writing this post as an ode to ProxyJump of ssh, one of the little helpers that make your day awesome.
If you are working on multiple computers in different companies/networks at some point you encounter the scenario, where you want to access a computer, that is only reachable via another computer. Let's say, you need to access your office computer names datenhalde from home, but datenhalde is only reachable via the company network.
Luckily your company provides a public ssh gateway named gateway), where you can connect from your home computer (named zuhause). On a Friday you decide that it's a day where you want to work without interrupts from home. Perhaps you just brewed a nice cup of coffee and start your work

At some point, you might find it unnecessary boring to always type in ssh gateway and then ssh datenhalde and you wonder, if there is not a more convenient way, to directly access datenhalde from zuhause via gateway, but without the fuzz of redundant ssh typing.

This is where ProxyJump comes into play. Use -J

Here ssh connects first to gateway and then to datenhalde. Awesome!

ssh config for even more convenience

Even better, you can put the ProxyJump into your ssh config, so every time you access a host, if first jumps to the given gateway host and then to the destination. Too complicated formulated? Just look at the following example

Now, if you connect to datenhalde via ssh, it automatically and transparently first jumps to gateway and then to datenhalte. This configuration then applies to all protocols that are building atop ssh, like scp, rsync or libvirt.

TL;DR

Want to connect to your working computer datenhalde via a ssh gateway in one single command?

Want to configure your ssh-configuration to always jump to gateway before connecting to datenhalde?

Then your ssh connections will transparently always jump over gateway

ProxyJump for the glory!

ProxyJump is a tool for the tech priests, and it's imperative that every adept of the Adeptus Mechanicus shall be able to handle it.
... in the (unlikely?) case in Warhammer 40k they also use ssh ...

ssh config for IPv6

This is just a short note to remind me, how to configure a link-local IPv6 address in the ssh-config

Remember to put two precent signs, otherwise you might get errors similar to the following

IPv6 for the win!

Triple Seven - Just a random ssh bug

Seit gestern ist ein neuer OpenSSH Bug bekannt: Triple Seven.

Aufgrund eines Problems im Speichermanagement ist es so bösartigen Servern möglich, den privaten ssh Key des Clients auszulesen. Für den Fall, dass sich also jemand mit einem nicht vertrauenswürdigen ssh-Server verbunden hat, ist es möglich, dass der eigene ssh-Key kompromittiert wurde.
Wer sich nicht sicher ist, ist daher angeraten sich neue ssh-Keys zu generieren und die alten in die Verbannung zu schicken (wichtig!)

Es steht mittlerweile ein Update für Debian, Ubuntu, RHEL und weiteren Distros zur Verfügung, das das Problem fixen soll.

Wer den eigenen Client zur Zeit nicht updaten kann, sollte die UseRoaming Option ausschalten. Entweder als Parameter in /etc/ssh/ssh_config

Oder als Programargument in der Kommandozeile

Und als Abschluss: Wenn irgendjemand Lust auf dubiosen Verschwörungstheorien hat, kann bei diesem Heise-Kommentar anfangen 🙂