Golden Gate SSH Config Files

In addition to my Golden Gate proxy providing security for web requests, I needed it to assist in securing SSH requests as well. SSH is already as secure as I need it, but I wanted to avoid exposing my servers directly to the Internet.

For my internal services I added this to the ~/.ssh/config file on my laptop (replace USERNAME and PROXY_IP as appropriate):

Host *.naphos.com
    User USERNAME
    ProxyJump [email protected]_IP

ProxyJump is a relatively new SSH option, so if you find that it doesn’t work for you, you can use the ProxyCommand option:

    ProxyCommand ssh -q -x [email protected]_IP -W %h:%p

This makes any SSH or SFTP request from my laptop to internal.naphos.com initiate a connection to PROXY_IP, and then automatically pass the request on to internal.naphos.com.

I use certificate-based authentication for my SSH connections, so the same certificate that authenticates my laptop to internal also authenticates me to PROXY_IP.

EDIT: I moved the config from using netcat to using the ssh -W to ensure that encryption is used all the way to the destination.

EDIT: 2019-12-15 I’ve updated the config above to reflect the new(ish) ProxyJump option in SSH.

Author

Eldridge Alexander

Manager of Duo Labs at Duo Security. Formerly employed at Cloudflare and at Google. Technologist, magician, designer, musician, videographer, blogger, and avid sweet tea drinker.