Golden Gate SSH Config Files

In addition to my Golden Gate proxy providing security for web requests, I needed it to assist in securing SSH requests as well. SSH is already as secure as I need it, but I wanted to avoid exposing my servers directly to the Internet.

For my internal services I added this to the ~/.ssh/config file on my laptop (replace USERNAME and PROXY_IP as appropriate):

Host *.naphos.com
    User USERNAME
    ProxyJump [email protected]_IP

ProxyJump is a relatively new SSH option, so if you find that it doesn’t work for you, you can use the ProxyCommand option:

    ProxyCommand ssh -q -x [email protected]_IP -W %h:%p

This makes any SSH or SFTP request from my laptop to internal.naphos.com initiate a connection to PROXY_IP, and then automatically pass the request on to internal.naphos.com.

I use certificate-based authentication for my SSH connections, so the same certificate that authenticates my laptop to internal also authenticates me to PROXY_IP.

EDIT: I moved the config from using netcat to using the ssh -W to ensure that encryption is used all the way to the destination.

EDIT: 2019-12-15 I’ve updated the config above to reflect the new(ish) ProxyJump option in SSH.

Author

Eldridge Alexander

I am the Associate Director of Cloud Security at Gemini. Formerly employed at Duo Labs, Cloudflare and at Google. Technologist, magician, designer, musician, videographer, blogger, and avid sweet tea drinker.