Today I show you how to define bastion hosts that you tunnel through to get to your destination hosts.
“A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers.” - Wikipedia.
The idea in practice for SSH is that you SSH to the bastion server, then you SSH to the server you want. As you might imagine, this idea gets old pretty quickly. So mass can make this happen seamlessly for you.
The most important quirk to consider is that to work around the differences in the Mac implementation of clusterSSH and the original Linux implementation, I had to limit it to a single bastion server per mass query. Therefore if you do a mass query that gives you a bunch of servers that use multiple bastion servers (eg a separate one for dev and live), then only one will succeed and the terminals for the other bastion server will fail to connect.
This turned out to be a convenient test that the bastions were configured correctly and that didn’t pose any complication. If you’re wanting to control live and dev servers with the same commands, you need to think very carefully whether you’re doing the right thing.
The repository is at https://github.com/ksandom/mass.