This is a note about how to setup a ssh proxy jump connection to allow terminal access and VNC based desktop access:
ssh ssh localhost ------> proxy ------> target ^ ^ using using mykey mykey
In my case, the localhost is a Mac laptop, the proxy and target are ubuntu servers.
- Creating id_rsa in localhost (my laptop), add the same id_rsa.pub to the both proxy’s and target’s ssh-agent. (ref: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-1604)
- Now the following command will make connection to the target via proxy (credit: https://superuser.com/a/1168339/865432):
ssh -i ~/.ssh/id_rsa -Ao ProxyCommand="ssh -i ~/.ssh/id_rsa -W %h:%p -p proxySSHport User@proxyIP" -p targetSSHport User@targetIP
If you use iTerm2, you can create a new profiles to make it as a shortcut: Profiles -> Open Profiles -> Edit Profiles… -> + (on lower left corner) -> General -> Send text at start (paste the command in this box)
- To setup VNC connection, we need to setup a port forwarding in addition to the above command:
ssh -i ~/.ssh/id_rsa -Ao ProxyCommand="ssh -i ~/.ssh/id_rsa -W %h:%p User@targetIP" -L 5901:127.0.0.1:5901 -N -f -l User targetIP
Noted that the target server part used
-lto specify username. This username will also be used as VNC login user, so you need to set that in the next part on the target server. From the ssh manual (https://linux.die.net/man/1/ssh):
- -N‘ Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
- -f‘ Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. This implies -n. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm.
If the ExitOnForwardFailure configuration option is set to ”yes”, then a client started with -f will wait for all remote port forwards to be successfully established before placing itself in the background.
- -W host:port
Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings and works with Protocol version 2 only.
- If you don’t have VNC service running already on your target server. Here’s very good reference on how to set that up: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04
Remember to use the same username in last setup for setup in the Step 4 part