Favorite / Best SSH Gateway?


Just a dude
vpsBoard Founder
As the title may suggest, I'm interested in being hit with some knowledge about SSH gateways. I've got too many VPSes, would rather just login to a gateway and use that to access a list of servers that have their access restricted to the IP of the gateway only.

What are my options?

Aldryic C'boas

The Pony
Easiest solution is setting memorable host->IP pairs in your gateway's /etc/hosts file.  And for each VPS, have the /etc/ssh/sshd_config reflect the following:

PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication no
PasswordAuthentication no

Then, at the very bottom of the VPS' /etc/ssh/sshd_config:

Match address IP.TO.YOUR.GATEWAY/32
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Keep in mind, this is on a Debian setup.  Other distros _should_ be fine, though some are picky about the format on the AuthorizedKeysFile line.
Last edited by a moderator:

Aldryic C'boas

The Pony
Of course, the downside to the above is that if the Gateway's IP ever changes, you'd need an alternate means of accessing the VM in order to update the sshd_config (such as a control panel console, IPMI for hardware, etc).  Same can be said for most other methods too though (such as IPTables).

Or, you could have your gateway serve a copy of the sshd_config via webserver, and have each VPS download the sshd_config and update once a day or so.  That way if the Gateway does get a new IP, you can just update the file to be served, and wait for the VMs to pick up the change.
Last edited by a moderator:


The Irrational One
Retired Staff
Or you can use a VPN.  Although if your VPN goes down or it gets compromised then you'll have some fun trying to get back into it all.  


New Member
My gateway has a ~/.ssh/config file full of alias entries like so:

Host projweb
    Port 2222
    User acd

Host home
    Port 8282
    User tw

Host biscuits
    Hostname W.X.Y.Z

Host lc-preboot
    User root
    UserKnownHostsFile ~/.ssh/lc-preboot.known_hosts
    IdentityFile ~/.ssh/lc-preboot.id_rsa
I like not having to remember ports or usernames for various places. Very useful if you don't always use the same one (or save a port from someone else).