I work on a number of hosts that are protected behind firewalls and have to be accessed from a bastion host. In my examples, I will assume the bastion host is called bastion.external and the protected host is called protected.internal. In order to log in to the protected host, I need to log in to the bastion host and then once again into the protected host:

ssh -A bastion.external ssh protected.internal

SSH can handle this fine, especially with password-less authentication. You can also configure your .ssh/config file to use netcat to bounce the connection straight from the bastion host to the protected host.

The problem is that ExpanDrive cannot access the protected host, and working on remote hosts without ExpanDrive is unpleasant.

So, let’s solve this using SSH port forwarding. We will forward port 50022 in the local host to port 22 on the protected host using:

ssh -N bastion.external -L 50022:protected.internal:22

Once we have done this, connections on port 50022 on the local host are forwarded to port 22 (the standard SSH port) on the protected host. The local port number does not have to be 50022, but it’s a private port and a good mnemonic for the standard SSH port.

We can now use SSH to connect to the protected host via the local port:

ssh localhost -p 50022

We can also access the file system on the protected host using ExpanDrive. We simply use localhost for the server and specify the appropriate local port (50022 in this example).

If we need access to more than one protected host, we simply forward a different local port for each.

Now, this is all well and good, but setting up forwarded ports and remembering port numbers is a bit messy. Let’s clean up things up.

First, we will use Meerkat to automatically handle port forwarding. In Meerkat we configure accounts on each bastion host and forwarded ports (or “tunnels”) on each account. We arrange for Meerkat to open at login. Meerkat works seamlessly with Keychain Access to provide password-less authentication. Meerkat is not perfect; it does not automatically maintain connections when local computer sleeps. Meekat costs $20 and is available with a 14-day trial licence.

Second, we will add the following lines to .ssh/config to configure an alias for the protected host:

Host protected

    Hostname localhost

    Port 50022

Once we have done this, SSH, SCP, SFTP, and RSYNC know that the alias refers to the correct port on the local host. We can enter the protected host simply using

ssh protected

Notes

There are alternatives to Meerkat. However, I found SSHKeychain to be unstable and both iSSH and SSH Tunnel Manager do not appear to support password-less authentication.

I could use the standard Unix tools on the remote host (possibly running the X11 server locally), but I bought a Mac precisely to get away from these. And the “standard” Unix tools have subtle (and not so subtle) differences on the remote hosts I use.

I could use CyberDuck, or another SFTP client, but I then would have to download files, work on them locally, and upload them again.

I could use some application-specific partial solutions, for example, using TextWrangler to edit remote files using SFTP, but application-specific partial solutions are not general solution; TextWrangler can’t help me open a remote PDF file in Preview.

I’m now using ExpanDrive to mount the remote filesystem and use my standard Mac OS tools. ExpanDrive accesses the remote file system using SFTP rather than AFS, NFS, or SAMBA and presents the remote filesystem as a standard device that can be seen by the Finder and all of the local Mac OS applications. 

ExpanDrive works seamlessly with the Keychain to provide password-less authentication and does not drop the connections when my computer sleeps. As far as accessing my remote files is concerned, it is tantamount to a light-weight and easily configurable VLAN.

ExpanDrive costs $29 and is available with a 30-day trial period.