<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Close icon
Search bar icon

How to SSH Through Bastion With Key | Part 2 - Tutorial

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

In this post, we will show you how to create an SSH key, which will allow only the systems who have that key to access your bastion host.  We will also look at ways you can streamline the bastion host login process without compromising the security of the key.

The full tutorial is split into three parts:

Part 1: Creating your bastion hosts

  • This post shows you how to create Linux virtual machines in Amazon Web Services, setup virtual networking, and create initial firewall rules to access the hosts.  

Part 2: Managing SSH keys

  • We will show you how to create an SSH key for your bastion host and look at ways you can streamline the bastion host login process without compromising the security of the key.

Part 3: Configuring hosts for logging

  • How to configure our bastion hosts to gather verbose logging data and send it off site to a cloud service.

In the previous section, we walked through installing and configuring a bastion host and guest, and completed some initial network security configurations to lock network access down to only specific IP addresses.  In this post, we will further adjust our bastion hosts to simplify SSH access without weakening the security of the hosts or the key itself.

Configuring ssh-agent

With SSH configuration complete, next we will configure SSH forwarding, which is going to allow us to connect to the bastion host, and then create the subsequent connection to our bastion guest - all without storing our private SSH key on either server.

To configure this on a Mac (see this Amazon knowledge base article for Windows instructions), issue the following command:

ssh-add -K name-of-your-key.pem

Issuing the ssh-add -K commandIf you want to verify the key has been successfully added, issue this command:
ssh-add -L
Verify key has been added

Connecting to the bastion host with ssh-agent

Now you should be able to connect to your bastion host without specifying the .pem file, as it is securely stored on your machine:

ssh -A ubuntu@fully.qualified.domain.name

Connect to bastion host

You should now be fully logged into your bastion host:

Logged into your bastion host

Connecting to the bastion guest

Now that we have ssh-agent working and are fully logged into the bastion host, we should now be able to simply issue an SSH command to connect right to the bastion guest’s internal IP without providing the private key or any credentials. Do this by issuing:

ssh ubuntu@the.internal.ip.address

In our environment, this IP address is, so I’ll run:

Issue ssh ubuntu @ IP address

You should see some login banner information and then get dropped to what looks like the same host:

Connecting to bastion guest

However, if you issue the ifconfig command, you should see that we are indeed connected to the private IP corresponding with the bastion guest:

Using ifconfig command, you should see that we are connected to the private IP corresponding with the bastion guest

For now, type exit and Enter to drop your SSH connection back to the bastion host.

At this point we have configured SSH access control to only specific IP addresses, and configured our management system to use the private SSH key as a “forwarder” so we can easily log into both the bastion host and guest systems.  In the third and final part of this series, we will configure our bastion systems to collect verbose log data and then send it to a cloud provider.

To learn more on how StrongDM helps companies with auditing, make sure to check out our Auditing Use Case.

About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

How to Create a Postgres User (Step-by-Step Tutorial)
How to Create a Postgres User (Step-by-Step Tutorial)
Creating Postgres users isn't just a routine step in the complicated world of database management; it's a critical strategy that has a significant impact on how PostgreSQL databases operate and remain secure. An increasing number of organizations depend on sophisticated data systems, so it's critical to recognize the value of Postgres users. This blog post walks you through the steps of creating a Postgres user, as well as, explores the significance of these users in database administration, emphasizing their function in maintaining security, limiting access, and ensuring efficient data management.
Beyond SASE: Strengthening Security with Dynamic Access Management
SASE or Dynamic Access Management? Here’s Why You Need Both
While SASE excels in providing broad network security coverage and solves broad issues for regular enterprise users, it is not equipped to address the specific requirements of privileged users who wield extensive administrator or superuser privileges. Dynamic Access Management (DAM) addresses the specific needs of privileged users by providing granular control over their access grants and sessions in real time.
Leveraging CSA Cloud Security Matrix (CMM) for Enhanced Cloud Security
Leveraging CSA CCM with StrongDM for Enhanced Cloud Security
The CSA CCM is a cybersecurity control framework specifically designed for cloud computing. It outlines a comprehensive set of best practices and security controls across 17 domains that are designed to ensure that cloud environments are secure and resilient against an ever expanding threat landscape. The CCM framework is structured to provide clarity and actionable guidance for the implementation of security measures in a prescriptive and adaptable way for recognized compliance standards and control frameworks.
How to Prevent Credential Stuffing [9 Best Practices]
How to Prevent Credential Stuffing [9 Best Practices]
In this article, we’ll explore the risks of credential stuffing attacks, common techniques used by attackers, signs that your accounts may be compromised, and credential stuffing prevention techniques you can use to reduce your risk.
What Is Fine-Grained Access Control? Challenges, Benefits & More
What Is Fine-Grained Access Control? Challenges, Benefits & More
Fine-grained access control systems determine a user’s access rights—to infrastructure, data, or resources, for example—once past initial authentication. Unlike coarse-grained access control (CGAC), which relies on a single factor, such as role, to grant access, FGAC relies on multiple factors. For example, it may consider policies (policy-based access control, or PBAC), attributes (attribute-based access control, or RBAC), or a user’s behavior in a certain context (behavior-based access control, or BBAC).