SSH ProxyCommand Workflow
The most common pattern for using Boundary to SSH is with the built-in boundary connect ssh
command. However,
there are more idiomatic approaches that can be employed to make Boundary transparent to users, and at the same
time simplify common developer and operator workflows. Using ProxyCommand
to execute a proxy when invoking the
SSH client is a common practice. In this workflow, we'll cover configuring your SSH client to execute the
boundary
command, enabling a simplified SSH workflow that leverages Boundary's authenticated proxy for accessing
targets.
SSH Configuration
Start by configuring a Host
entry in .ssh/ssh_config
for localhost
:
The ProxyCommand
tells the SSH client to invoke boundary connect
. We are passing the -exec nc
flag to
boundary connect
to wrap netcat, and then pass the boundary.ip
and boundary.port
variables as arguments to nc
. This allows us to proxy our SSH connection through a local netcat tunnel that's
managed as a Boundary session.
When you run ssh ttcp_1234567890
(example target ID), SSH will invoke boundary connect
, and will tunnel the traffic through
the local Boundary proxy in a wrapped netcat session, passing in the target ID as the hostname to the boundary
command.
Authenticate to Boundary
Before ssh
can invoke boundary connect
you need to authenticate. In this example, we're using boundary dev
with the
default username (admin) and password (password), and because this auth method is the primary that resides in the global
scope, we can use the short form of the authenticate command with no extra flags:
SSH to Target
Running Boundary in dev mode creates other
default resources such as a target and auth method. The default target (ttcp_1234567890) is already setup with a host
at localhost
and a default port of 22
.
You can simply run ssh
as you normally would and all the traffic will be proxied over the Boundary proxy to your target machine:
On the controller, you should see the session being invoked in the logs:
You can inspect the session on the CLI as well:
Advanced Usage
Another way to access targets using ProxyCommand is by setting the Host
value to the target domain instead of the target ID.
This is useful if you want to use the domain name instead of the target ID when forking SSH. An extra step is required to make this
work where you must authorize the session to the target and store it in your environment since we're no longer passing the target
ID to the SSH command. This will allow Boundary to pull the target information from the token you created in the authorize session
command.
Configure SSH
Authenticate to Boundary
Before ssh
can invoke boundary connect
you need to authenticate. In this example, we're using boundary dev
with the
default username (admin) and password (password):
Authorize the Session
Running Boundary in dev mode creates other
default resources such as a target and auth method. The default target (ttcp_1234567890) is already setup with a host
at localhost
and a default port of 22
.
Authorize a session to the default target and store the token in the BOUNDARY_CONNECT_AUTHZ_TOKEN
environment variable.
This will be used by Boundary when it's invoked by SSH:
SSH to Target