Documentation

Connecting a Java SSH Client through a Jump Host

Introduction

A common use case with SSH is to set up a secure, hardened jump host server in a security zone that can be used to connect to SSH devices within the zone. A user typically logs into the jump host and creates a further SSH connection from that host to another server in its zone. This makes it easier to manage many devices without creating rules to allow access to them through the network’s firewall.

This can be replicated in a Java SSH setup by creating a port forward to forward the separate connection over the secure tunnel to the jump host.

First, we make the connection to the jump host server.

try (SshClient jump = new SshClient(hostname, port, username, password.toCharArray())) {

}Code language: JavaScript (javascript)

Once established, we can create a local forwarding to listen on a random port on the client.

int localPort = ssh.startLocalForwarding("127.0.0.1", 0, remoteHost, remotePort);Code language: JavaScript (javascript)

We then connect a new SshClient to the local forwarding port.

SshClient remote = new SshClient("127.0.0.1", localPort, username);Code language: JavaScript (javascript)

Once connected to the remote machine, we can tear down the local forwarding listener to ensure it cannot be reused.

stopLocalForwarding("127.0.0.1", localPort);Code language: CSS (css)

We can then execute code directly on the remote SshClient instance with any of the Synergy APIs.

The fully working example below uses a newly added method to the API called openRemoteClient. This is on the SshClient and performs the steps above for you.

Source Code

package examples;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;

import com.sshtools.client.SessionChannelNG;
import com.sshtools.client.SshClient;
import com.sshtools.client.shell.ExpectShell;
import com.sshtools.client.shell.ShellTimeoutException;
import com.sshtools.client.tasks.ShellTask;
import com.sshtools.common.permissions.UnauthorizedException;
import com.sshtools.common.ssh.SshException;
import com.sshtools.common.util.Utils;

public class JumpHost {

   public static void main(String[] args) throws IOException {

      try (BufferedReader reader = new BufferedReader(new InputStreamReader(System.in))) {
			
         String hostname = Utils.prompt(reader, "Hostname", "localhost");
         int port = 22;
         if (Utils.hasPort(hostname)) {
            port = Utils.getPort(hostname);
         }

         String username = Utils.prompt(reader, "Username", System.getProperty("user.name"));
         String password = Utils.prompt(reader, "Password");

         try(SshClient jump = new SshClient(hostname, port, username, password.toCharArray())) {
           String remoteHost = Utils.prompt(reader, "Remote Host", "localhost");
           int remotePort = 22;
           if (Utils.hasPort(remoteHost)) {
              remotePort = Utils.getPort(remoteHost);
           }
           String remoteUser  = Utils.prompt(reader, "Remote User", System.getProperty("user.name"));
			
           try(SshClient ssh = jump.openRemoteClient(remoteHost, remotePort, remoteUser)) {

        	   ssh.runTask(new ShellTask(ssh) {
                   @Override
                   protected void onOpenSession(SessionChannelNG session)
                          throws IOException, SshException, 
                                       ShellTimeoutException {

                      ExpectShell shell = new ExpectShell(this);

                      shell.execute("mkdir tmp");
                      shell.execute("cd tmp");
                      shell.execute("echo Synergy was here > readme.txt");
                      shell.execute("tar czf package.tar.gz readme.txt");
                      shell.execute("chmod 600 package.tar.gz");
                   }
                });
           } 
        }
     } catch (UnauthorizedException | IOException | SshException e) {
        System.out.println(e);
     }
   }
}Code language: JavaScript (javascript)