Access Git Repository via SSH Tunnel as configuration

Question

Our GitLab server isn't publicly accessible but we can establish SSH tunnels to GitLab via a Jumpbox. Running git commands over the tunnel works well, however I'm now looking for a solution to configure ssh to automatically establish the ssh tunnel each time I want to ssh to the GitLab Server

I already configured the Jumpbox server within my ~/.ssh/config - it looks like the following:

Host jumpbox
    HostName jumpbox.example.com
    Port 22000
    User myUser
    PasswordAuthentication yes
    IdentityAgent "~/example/ssh/agent.sock"
    IdentityFile ~/.ssh/jumpbox.pub
    IdentitiesOnly yes

Currently I'm running the following commands to git push via the ssh tunnel

In one console I establish the ssh tunnel from my workstation to the GitLab server via the jumpbox.

ssh jumpbox -L 55022:172.12.0.15:22

... where 172.12.0.15 is the IP of the private GitLab Server, which is accessible form the Jumpbox.

In another console I run git push to push the changes.

To don't have to change the git remote every time I'm on an internal or external network, I just manually override the name resolution in my /etc/hosts to point externally to localhost where the ssh tunnel is connected. My /etc/hosts looks like this

##
# GitLab override
127.0.0.1 gitlab.example.com

The remotes of my repository are configured as below.

$ git remote -v
origin  git@gitlab.example.com:myProject/myRepository.git (fetch)
origin  git@gitlab.example.com:myProject/myRepository.git (push)

I'm now looking for a way to configure ssh to establish the ssh tunnel each time I want to connect to gitlab.example.com to push my changes.

My current situation looks like this but connection fails and my brain hurts figuring out why:

Host jumpbox
    HostName jumpbox.example.com
    Port 22000
    User myUser
    PasswordAuthentication yes
    IdentityAgent "~/example/ssh/agent.sock"
    IdentityFile ~/.ssh/jumpbox.pub
    IdentitiesOnly yes

Host gitlab.example.com
    HostName 172.12.0.15  # Internal IP of the GitLab Server
    Port 22               # Port I want to connect to on the GitLab Server
    User git
    IdentityAgent "~/example/ssh/agent.sock"
    IdentityFile ~/.ssh/gitlab_git_via_ssh.pub
    IdentitiesOnly yes
    ProxyJump jumpbox
    LocalForward localhost:55022 10.90.209.68:22

For debugging purposes I tried to just establish a ssh connection to gitlab.example.com but it fails with the following messages:

$ ssh -v gitlab.example.com
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/myUser/.ssh/config
debug1: /Users/myUser/.ssh/config line 31: Applying options for gitlab.example.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' jumpbox
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Executing proxy command: exec ssh -v -W '[10.90.209.68]:22' jumpbox
debug1: identity file /Users/myUser/.ssh/jumpbox.pub type 0
debug1: identity file /Users/myUser/.ssh/jumpbox.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/myUser/.ssh/config
debug1: /Users/myUser/.ssh/config line 21: Applying options for jumpbox
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to jumpbox.example.com port 22000.
debug1: Connection established.
debug1: identity file /Users/myUser/.ssh/jumpbox.pub type 0
debug1: identity file /Users/myUser/.ssh/jumpbox.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1g0
debug1: compat_banner: match: OpenSSH_8.1g0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to jumpbox.example.com:22000 as 'myUser'
debug1: load_hostkeys: fopen /Users/myUser/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:kWC4p3FRDktwdCq17TY8Y4hzU8wq+LEZ1kFH+nscw7E
debug1: load_hostkeys: fopen /Users/myUser/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[jumpbox.example.com]:22000' is known and matches the ED25519 host key.
debug1: Found key in /Users/myUser/.ssh/known_hosts:7
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: agent returned 9 keys
debug1: Will attempt key: /Users/myUser/.ssh/jumpbox.pub RSA SHA256:QqXPlVeMe6900jZaxl3cELCMaIGoorv+BpPGRwcIYAo explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-xmss@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/myUser/.ssh/jumpbox.pub RSA SHA256:QqXPlVeMe6900jZaxl3cELCMaIGoorv+BpPGRwcIYAo explicit agent
debug1: Server accepts key: /Users/myUser/.ssh/jumpbox.pub RSA SHA256:QqXPlVeMe6900jZaxl3cELCMaIGoorv+BpPGRwcIYAo explicit agent
Authenticated to jumpbox.example.com ([20.234.143.84]:22000) using "publickey".
debug1: channel_connect_stdio_fwd: 172.12.0.15
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /Users/myUser/.ssh/known_hosts for [jumpbox.example.com]:22000 / (none)
debug1: client_input_hostkeys: searching /Users/myUser/.ssh/known_hosts2 for [jumpbox.example.com]:22000 / (none)
debug1: client_input_hostkeys: hostkeys file /Users/myUser/.ssh/known_hosts2 does not exist
debug1: Remote: /home/myUser/.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/myUser/.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

I really appreciate any ideas and help.

Answer 1

It looks like you're successfully establishing a connection to the jumpbox, but not getting any file descriptors assigned on the jumpbox that would permit proxying. Proxying and port forwarding aren't prohibited, though - you'd get an error about this being "administratively prohibited" - so this should work.

Assuming you're using OpenSSH client version 7.3 or later, you should be safe removing the LocalForward statement from your SSH config - ProxyJump should handle all aspects of tunneling, from setup to teardown, without any additional work for you. The config ProxyJump statement also has a CLI equivalent, -J, which you could use to test this: comment out the ProxyJump and LocalForward statements in your SSH config, and then test with ssh -v -J jumpbox gitlab.example.com.