How To Log Into A Bastion Host Using Putty?
The purpose of this will be to show how you can use Putty to log into a bastion host (a.k.a jump box) and then from there ssh into other machines that may reside on different network segments or hosts that aren’t supposed to directly communicate with each other, which is the case when dealing with firewalls and routers.
“PuTTY is a free and open-source terminal emulator, serial console and network file transfer application.”
You can download it here:
Setting up the jump box /Bastion Host
The first thing you have to do is set up a bastion host, also known as a jump box. This machine will be used as an intermediary between your client machine and other machines that are behind firewalls or routers, therefore all communication has to pass through this server so it can properly forward the requests. Because of this you have to make sure it’s configured appropriately before setting it up for remote access…on windows its not so easy because there isn’t really any built in way…however if you use Linux then you can just open up port 22 (or whatever port ssh is always listening on) with the appropriate iptables rules.
The connection process
This is the simple part, you just have to open up putty which you can get from http://www.putty.org/ or many other places on the interwebs…then all you have to do is specify the IP address of your bastion host and you are set…one problem that some people have with this though is that it’s not really secure so here’s how to do it securely using OpenSSH built in key authentication mechanism…it basically encrypts all data being passed back and forth between yourself and your intermediary server so no one else can read it, but only you have the decryption key for it.
Steps to SSH into Bastion Host via Putty
Follow The Steps:
1. Firstly you need to have a bastion host that has putty installed on it, if not then you can download from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
2. Next after launching your favourite terminal, login into the machine using ssh and port forwarding:
ssh -L <local port>:<remote address>:<remote port> <username>@<hostname or ip address of jump host >
Example: ssh -L 10025:10.10.14.241:22 root@127 .0 .0 .1
Note: The above command will login into the machine at 127 .0 .0 .1 (localhost) and the forwarding/tunnel port will be set to 10 .10 .14 .241:22 (IP of the bastion host).
3. Then launch putty and configure as follows:
– Connection: SSH
– Auto detect settings: unchecked
– Putty Version: Default -2 all versions unless otherwise stated.
– X11 forwarding: checked
– Connection type: SFTP – SSH File Transfer Protocol (default) or SCP if you prefer it.
4. Click Session on the main menu, input the IP address of your jump host, don’t forget that we need to include a colon at the end followed by a port number (10025 in this case), which is the one we forwarded earlier using the SSH client.
5. Then click save and then open to login into the jump host .
6. Once you get confirmation that your session is ready (SSH-2 RSA key fingerprint) , log in using the credentials you were provided with for this particular machine. It might ask you if you want to trust this certificate but if not, I would say go ahead and accept it anyway.
7. Next we need to configure our putty connection to be able to use port forwarding through another SSH session:
1 ) Go to Connection > SSH > Tunnels and add a new forwarded port like so: – Source port: 10025 – Destination: 127 .0 .0 .1 :22 (this means that whatever traffic that comes through the source port 10025 will be forwarded to port 22 on the host that is local to your putty session)
8. And finally, click open to connect into the next machine that you would like to reach.
This is just one of many ways in which you can secure transmissions between hosts and provides an extra layer of security for ssh communications.
Benefits of Putty
1. Allows you to create a secure connection between yourself and your jump host (intermediary server).
2. It is easy to use and requires very little effort on behalf of an end user.
3. It’s free, most other solutions are not (including the built in ssh mechanism which does not allow for remote port forwarding).
4. Provides a GUI (graphical interface) over normal command line services such as telnet (which we will cover sometime in the future probably…)
5. It is cross platform compatible meaning that it can be run on Windows, Linux or even Mac OS X if you use something like a virtual box .
1 . This solution only secures data transfer and does not provide any means of authentication (such as username/password).
2. Requires both end users to have putty installed on their machine.
3. There are certain ssh servers that don’t support port forwarding, so you might have to seek alternative solutions for this if required.
4. The solution is dependent upon the intermediary host being online and accessible by both parties, in the event that it isn’t available then you won’t be able to run any traffic through it , basically meaning that there is no point in using this solution .
5 . Since the data transfer takes place over a secure channel between two machines , it can result in quite a bit of bandwidth loss depending on what kind of information it is transferring…not ideal when needing to transfer a large file over the internet…
6. The solution does not provide any real encryption, so if you need to transmit sensitive information then this is not going to be the best solution for you.
Through this Article we learnt to SSH into a Bastion host via Putty to create a secure connection between us and any machine that we might have to reach, inside or outside our network.
We also covered how this method of using a Bastion host provides the advantage of additional security holistically covering all traffic from one SSH session through multiple intermediary hosts up until it reaches its intended destination.
This solution is most suitable for those who need remote access into their network from an external source as well as those who require to be able to transfer information between two machines with no intermediaries.