search

jakob / Postico

Public issue tracking for Postico
https://eggerapps.at/postico/
475 stars 9 forks source link

Allow multi-hop SSH (like ProxyCommand) #532

Open jakob opened 6 years ago

jakob commented 6 years ago

I've received feedback from a handful of people that have complex setups, where they need to tunnel through multiple hosts to reach the database server. A typical setup might look like this:

[ Postico ] -- SSH -- [ Jump Host ] -- SSH -- [ Target Host ]

(The database runs on target host, but a firewall blocks direct SSH access, so we would need to tunnel the SSH connection through a jump host first)

This can be accomplished with OpenSSH using the ProxyCommand option. In a previous issue (#432) I've talked about how supporting ProxyCommand in general is not feasible, but the specific case of using multiple SSH tunnels might be feasible.

There are probably a number of ways to accomplish multi-hop SSH. I have a few questions for those of you who use such a setup:

1) Do you have access to all the keys/passwords required for the involved SSH servers, or do you need keys from the jump host to connect to the target host?

2) What does your setup look like? How many SSH connections do you need, and how many hosts are involved in total?

3) What's the exact ProxyCommand that you are using (for multi-hop SSH)?

rposborne commented 6 years ago
  1. Yes all keys, are available.
  2. A bastion server accessing a vpc, where the bastion does not have access to the db, requiring a hop to another node.
  3. ProxyCommand ssh -q -W %h:%p bastion
mrkcohen commented 5 years ago

I think I'm in a similar position as @rposborne. It'd be great to be able to tunnel through the config. My config looks something like this:

Host target-*
    ProxyCommand ssh -W %h:%p bastion.analytics
    LocalForward xxx db.companyname-yyy.com:xxx

where xxx=the port used

Any update on this issue would be great to @jakob ! Thanks!

mrkcohen commented 5 years ago

Any thoughts here @jakob ?

fsonntag commented 5 years ago

I'd also like to answer the questions:

  1. Experienced both scenarios.
  2. One hop to the target.
elahmo commented 4 years ago
  1. My key is not present at the jumpserver, only at the target machine.
  2. Just one hop, my machine - jumpserver - target machine
  3. ProxyCommand ssh -q -W %h:%p jumpserver

I have these hosts stored in my ~/.ssh/config.

georgevanvliet commented 4 years ago

  1. Yes. On my machine.

  2. I jump to a bastion box that is located inside the same subnet as my application containers. From the bastion I jump to the DB. The bastion box is not exposed to the outside, but uses the AWS session manager. I enjoy this secure setup, because there is no ssh port that I need to expose on the bastion, it all runs through the aws cli.

See for details

  1. Host i-* mi-*
ProxyCommand sh -c "PATH=$PATH:/usr/local/bin /usr/local/bin/aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
revmischa commented 2 years ago

I as well would like to be able to connect with AWS SSM to my database. SSM accepts an instance id as a hostname and works on the command line, but can't resolve the hostname in Postico 2. Docs: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

This is a much better way to access your DB because you can control access via IAM

StephanHoyer commented 5 months ago

Are there any plans to implement this?

You could also allow to use .ssh/config entries instead of hosts for this.