Skip to main content

Before you start

To get the most out of this guide, you will need to:

Features

The table below outlines the features available for this type of connection.
  • Native - Indicates the connectivity happens through the Hoop command line (hoop connect <connection-name>) or acessing the protocol port directly on the gateway.
  • One Off - This term refers to accessing the resource from Hoop Web Console.
FeatureNativeOne OffDescription
TLS Termination ProxyThe local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted.
AuditThe gateway stores and audits the queries being issued by the client.
Data Masking (Google DLP)A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Data Masking (MS Presidio)A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
GuardrailsAn intelligent layer of protection with smart access controls and monitoring mechanisms.
Credentials OffloadThe user authenticates via SSO instead of using database credentials.
Interactive AccessInteractive access is available when using an IDE or connecting via a terminal to perform analysis exploration.

Connection Setup

# ssh server must enable password based authentication
hoop admin create conn myremote-server -a <agent> --overwrite \
    --type application/ssh \
    -e HOST=10.20.30.40 \
    -e USER=root \
    -e PASS=myrootpasswd

# ssh server must enable public key authentication
hoop admin create conn myremote-server -a <agent> --overwrite \
    --type application/ssh \
    -e HOST=10.20.30.40 \
    -e USER=root \
    -e AUTHORIZED_SERVER_KEYS=file:///path/to/your/private/key

How to Use it

To connect automatically, it will listen to a random port and use your local ssh client to connect it. 
hoop connect myremote-server
In the listen mode, it will listen for connections on the specified port when using the --port flag. 
hoop connect myremote-server --port 2222
Connect with your local SSH client using another terminal window: 
ssh -p 2222 localhost

SSH Hosts Key

To prevent fingerprint issues when connecting with the local SSH client server, add the client host key environment variable during gateway setup. The key must be in PKCS#8 format and encoded as base64. You can generate a key with openssl utility: 
openssl genpkey -algorithm RSA -out ssh_host_hoop_key.pem \
  -pkeyopt rsa_keygen_bits:4096
base64 -i ssh_host_hoop_key.pem
  • SSH_CLIENT_HOST_KEY=<base64-encoded-key>
To troubleshoot the SSH connection with hosts keys, use the --debug flag when running the hoop connect command. This will provide detailed information about the connection process, including any issues related to parsing the host key.
For more details, refer to the environment variables documentation.

Known Issues

Warp Terminal

When using Warp Terminal, you might encounter issues due to its unique handling of SSH connections. To disable it, set this option in your bash profile or your current shell session 
export WARP_USE_SSH_WRAPPER=0