Setting up an OpenSSH bastion host for an entire DNS domain


Remote administration via ssh is a standard practice for many unix based servers or networking devices. Protecting this critical infrastructure by provisioning internal devices on RFC1918 IP space and/or limiting inbound connections to specific bastion or jump-hosts is a common method to limit external exposure.

Bastion hosts are security hardened devices who’s sole purpose is to act as a gateway into the production environment. These servers should be stripped down to essential services and patched on a regular basis. The server typically sits between the untrusted and trusted network, as shown in the diagram below:

SSH proxy flow

To make the bastion host configuration easier, I prefer to provision all systems on an internal DNS domain name. OpenSSH is configured through the Host and ProxyCommand options to key off the wildcard domain, and force all devices through the bastion host.


Configure OpenSSH to proxy any device in the domain * through by adding the following lines to the ~/.ssh/config for individual users or globally by editing /etc/ssh/ssh_config:

jemurray@mbp-2019:~ $ cat .ssh/config
Host *
        ProxyCommand ssh -W %h:%p

Any ssh connection made to * will be automatically proxied through the bastion host:

jemurray@mbp-2019:~ $ ssh
*        WARNING - Unauthorized access to or use of this system is    *
*                         strictly prohibited.                        *
***********************************************************************'s password:
Cisco Nexus Operating System (NX-OS) Software
TAC support:
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at