Introduction to SSH Jump Hosts

Securely Accessing Campus Resources: An Introduction to SSH Jump Hosts

For many faculty and staff, remote access to university servers and resources is essential for research, teaching, and administrative tasks. However, directly connecting to these resources from a personal device can be risky. This is where SSH jump hosts come in, providing a secure and controlled pathway to campus systems.

What is an SSH Jump Host?

An SSH jump host acts as an intermediary server, situated between your device and the target server you wish to access. You first connect to the jump host jump.it.purdue.edu using SSH (Secure Shell), a secure protocol for remote logins. Once authenticated, you can then establish a secure connection to the desired server within the university network. Jump hosts provide an alternative secure access method when the primary VPN connection is unavailable.

Benefits of Using SSH Jump Hosts:

• Enhanced Security: Jump hosts add an extra layer of security by creating a buffer zone between external connections and internal university resources. This reduces the attack surface for potential security breaches.
• Centralized Access Control: IT administrators can manage access to all internal servers through the jump host. This simplifies user permission management and facilitates auditing of login attempts.
• Improved User Experience: Jump hosts can streamline the login process by allowing you to store SSH configurations for frequently accessed servers.

How to Use an SSH Jump Host:

1. Obtain Credentials: Your West Lafayette campus career account should be automatically configured to use the SSH jump host. Contact your IT department to inquire about the SSH jump host and how to obtain the necessary login credentials. 
2. Configure SSH Client: Set up your SSH client software (e.g., PuTTY, Terminal, SecureCRT) to connect to the jump host server address provided by IT. You may also need to configure SSH key-based authentication for added security. (Note: ssh keys are not enabled on jump.it.purdue.edu)
3. Connect to Jump Host: Use your SSH client to establish a secure connection to the jump host server.
4. Access Internal Server: Once logged into the jump host, utilize SSH again to connect to the specific server you require within the university network.

Important Considerations:

• IT Policies: Always adhere to the university's IT policies regarding remote access and acceptable use of resources.
• Strong Passwords or Keys: Employ strong passwords or SSH key-based authentication for both the jump host and internal server connections. (Note ssh keys are not enabled on jump.it.purdue.edu)
• Suspicious Activity: Report any unusual activity or login attempts to the university's IT department promptly.

By leveraging SSH jump hosts, faculty and staff can benefit from secure and controlled remote access to university resources, fostering a more productive and efficient work environment.

Configuring SSH for jump host

The SSH jump host jump.it.purdue.edu will be employed as a gateway to access university resources when connecting from a network that is outside the university.

The idea is to use ProxyJump command to automatically execute the ssh command on remote host to jump to the next host and forward all traffic through.

Preconfigured jump host

ProxyJump hosts can be defined inside each user's SSH config file ~/.ssh/config:

# When connecting to linuxhost, use jump host
Host linuxhost
  Hostname linuxhost.ecn.purdue.edu
  ProxyJump jump.it.purdue.edu

Connect to linuxhost.ecn.purdue.edu. ssh will first connect to jump.it.purdue.edu, then connect to linuxhost.ecn.purdue.edu.

purdueuser$ ssh linuxhost

If usernames on machines differ, specify them by modifying the correspondent ProxyJump line.

# When connecting to linuxhost, use jump host
Host linuxhost
  Hostname linuxhost.ecn.purdue.edu
  ProxyJump purdueuser@jump.it.purdue.edu

Dynamic jump host

For dynamic access to a host via the jump host, use the command line switch -J.

purdueuser$ ssh -J jump.it.purdue.edu linuxhost.ecn.purdue.edu

Tips

When connecting to the jump host jump.it.purdue.edu, use the Duo two-factor authentication method, where you enter your career account password. After your password, add a comma (",") followed by the word "push" (without quotes). For example, if your password is "secret123", you would enter "secret123,push".