Supporting ProxyJump / -J use cases

[jdub]

Another thought… what about jumphosts for which both the proxy and target require key upload? (For example, I connect this way when not on my office network.)

To make matters more challenging, the OpenSSH 7.9p1 man page section for ProxyJump states:

Note that this option will compete with the ProxyCommand option - whichever is specified first will prevent later instances of the other from taking effect.

Plus, there's no token for the jump host name, not even in OpenSSH 8.0.

[aidansteele]

This would be very cool and worth supporting. I'll spend the afternoon pondering how we could go about implementing it. A few scattered thoughts / questions in no particular order:

• Should we support specifying a jump host on the command-line, i.e. the ssh -J ec2-user@i-abc123 ... use case?
• Should we support specifying a "default" jump host, i.e. configured in ~/.ssh/ec2connect/ssh_config?
• Should we support different jump hosts per AWS region / profile?

Understanding the different ways people might want to use this functionality will help inform how we might need to implement it.

[jdub]

After suggesting you reduce the security surface area of ec2connect in my last bug report, my first thought for supporting this increases it… 😂

You cooooould make the proxy connection in ec2connect and let SSH do the rest. But that gets in the way of using -J on the command line.

[aidansteele]

Rethinking the problem: do we want to support ProxyJump / -J specifically or do we want to support jump hosts? Because the latter is a probably easier.

We could do something like looking for an EC2 instance in the same account/region/VPC with the tag ec2connect:bastion=true when the target instance only has a private IP address. And then make the proxy connection for them, as you mention.

This solution would mean that users wouldn't need to know the ID of the jump host EC2 instance. 🤔

EDIT: I suppose you don't want to use the jump host when you have direct connectivity..