Golden Gate SSH Config Files

In addition to my Golden Gate proxy providing security for web requests, I needed it to assist in securing SSH requests as well. SSH is already as secure as I need it, but I wanted to avoid exposing my servers directly to the Internet.

For my internal services I added this to the ~/.ssh/config file on my laptop (replace USERNAME and PROXY_IP as appropriate):

Host *.naphos.com
    User USERNAME
    ProxyCommand ssh -q -x [email protected]_IP -W %h:%p

This makes any SSH or SFTP request from my laptop to internal.naphos.com initiate a connection to PROXY_IP, and then automatically pass the request on to internal.naphos.com.

I use certificate-based authentication for my SSH connections, so the same certificate that authenticates my laptop to internal also authenticates me to PROXY_IP.

EDIT: I moved the config from using netcat to using the ssh -W to ensure that encryption is used all the way to the destination.

Author

Eldridge Alexander

Manager of Duo Labs at Duo Security. Formerly employed at Cloudflare and at Google. Technologist, magician, designer, musician, videographer, blogger, and avid sweet tea drinker.