Tunneled SSH Connections
Bad actors are constantly scanning the internet for exposed SSH services. Changing the default port obfuscates, but doesn't protect the service, and implementing and updating advanced SSH authentication can be cumbersome.
By tunneling SSH connections through your Pomerium service:
- All traffic is encrypted twice (once by the Pomerium TCP connection, once by SSH itself),
- The SSH service can remain closed to the internet, or even restricted to only accept connections from the Pomerium Proxy service
- Authentication and authorization is managed by Pomerium, using your IdP for identity, and can be easily managed at scale.
This example assumes you've already created a TCP route for this service.
Basic Connection
Create a TCP tunnel, using either
pomerium-cli
or the Pomerium Desktop client:- pomerium-cli
- Pomerium Desktop
pomerium-cli tcp aService.corp.example.com:22 --listen :2202
--listenThe
--listen
flag is optional. It lets you define what port the tunnel listens on locally. If not specified, the client will choose a random available port.Local AddressThe Local Address field is optional. Using it defines what port the tunnel listens on locally. If not specified, Pomerium Desktop will choose a random available port.
Initiate your SSH connection, pointing to
localhost
:ssh user@localhost -p 2202
Tunnel and Connect Simultaneously
The process outlined above requires multiple steps and terminal environments (when using the CLI) or programs (when using the Desktop Client). By invoking pomerium-cli
when the connection is made, you can streamline the process into a single connection:
ssh -o ProxyCommand='pomerium-cli tcp --listen - %h:%p' ssh.localhost.pomerium.io
Always Tunnel through Pomerium
Once your SSH service is configured and tested through Pomerium, you can edit your local SSH configuration file to always create a tunnel when connecting to that service:
Host aService.corp.example.com
ProxyCommand /usr/bin/pomerium-cli tcp --listen - %h:%p
You can even configure all SSH connections to your domain space to use the tunnel:
Host *.corp.example.com
ProxyCommand /usr/bin/pomerium-cli tcp --listen - %h:%p
More Resources
For more information on SSH ProxyCommand, see: