Jump Hosts (Bastion Architecture)
Architecting secure access via ProxyJump chaining
In secure enterprise environments, the "Zero Trust" model dictates that internal resources (Databases, Redis clusters, Internal APIs) must never operate on a public IP address. They sit inside a VPC private subnet (e.g., 10.0.0.0/16).
To access them, you connect through a Bastion Host (or Jump Box). Netcatty automates this tunneling process using standard SSH ProxyJump semantics.
Architecture
When you configure a Jump Host in Netcatty, we do not simply "SSH into A, then run SSH to B". That approach (interactive chaining) is fragile and insecure.
Instead, we use TCP Forwarding:
- Netcatty connects to Jump Host A (port 22).
- It requests a direct TCP channel to Target Host B (
10.0.0.5:22). - The SSH packets for Host B are encrypted, encapsulated inside the tunnel to Host A, and unwrapped only at the destination.
- Result: Host A cannot see the traffic destined for Host B (if Host B uses a different key). This is End-to-End Encryption properly applied.
Figure: Encapsulated SSH ProxyJump architecture. The Bastion host maintains the outer tunnel but cannot decrypt the traffic destined for the Target Server.
Configuration Workflow
Let's configure a real-world scenario: Accessing a Private Postgres DB.
Prerequisites
- Bastion Host: You must already have a working host for the Bastion (e.g.,
bastion.corp.com) added in your Vault. - Target Details: You need the private IP (e.g.,
10.0.5.12) of the database server.
Step-by-Step
Create the Target Host
Click New Host.
- Name:
Prod DB Primary - Address:
10.0.5.12(Note: This IP is not reachable from your laptop natively). - Port:
22(SSH port, not the DB port 5432).
Configure Authentication (Target)
Enter the username/key for the Target DB Server.
- Important: This is NOT the Bastion's password. It's the credential for the final destination.
Add the Link
Go to the Advanced section in the Host Details panel.
- Locate the Jump Host section.
- Click Add Hop.
- Search for and select
bastion.corp.comfrom your Vault.
Connect
Click Connect. Watch the status log.
Connecting to bastion.corp.com... SuccessOpening channel to 10.0.5.12:22... SuccessAuthenticating to 10.0.5.12... Success
Figure: Multi-hop configuration in the Advanced settings panel. Netcatty executes tunnels in the order they appear (top to bottom).
Advanced Scenarios
Multi-Hop Chaining (The "Onion" Route)
Sometimes you have layered security zones.
Internet -> DMZ Bastion -> App Bastion -> Secure DB Zone
Netcatty supports unlimited chaining steps.
- Order Matters: The list in Settings is ordered from You -> Target.
- Hop 1:
dmz-jumphost - Hop 2:
app-jumphost
- Hop 1:
- Netcatty will tunnel through DMZ to reach App, then tunnel through App to reach the Target.
Dynamic Bastions
Check "Dynamic" if your bastion IP changes frequently? No. Use tags.
If you have a pool of bastions (bastion-01, bastion-02), unfortunately SSH requires a specific host. Pick the most reliable one.
Security Considerations
Agent Forwarding vs. ProxyJump
Do NOT turn on "Agent Forwarding" just to make jumping work.
- Agent Forwarding: Allows the Bastion to impersonate you to the next server. If the Bastion is compromised (root access), the attacker can use your local agent to login to other servers.
- ProxyJump (Netcatty Default): The Bastion merely shuffles encrypted bytes. It cannot decrypt the traffic or impersonate you. It is much safer.
Troubleshooting
"Channel Open Failed"
Error: open failed: administratively prohibited: open failed
- Cause: The Bastion server's
sshd_configforbids TCP forwarding. - Fix: On the Bastion server, ensure
/etc/ssh/sshd_confighas:AllowTcpForwarding yes
"Host Key Verification Failed"
Since the traffic is tunneled, the "Host Key" you receive comes from the Target IP (10.0.5.12).
If you previously connected to a different server at 10.0.5.12 (maybe IPs were recycled), Netcatty will block the connection to prevent MITM attacks.
- Fix: Go to Settings > Known Hosts, search for
10.0.5.12, and delete the entry.