Prerequisites

To get the most out of this guide, you will need to:

Features

The table below outlines the features available for this type of connection.
  • Native - This refers to when a database client connects through a specific protocol, such as an IDE or client libraries through hoop connect <connection-name>.
  • One Off - This term refers to accessing this connection from Hoop Web App.
FeatureNativeOne OffDescription
AuditThe gateway store and audit the commands being issued by the SSH client.
Data Masking (Google DLP)A policy can be enabled to mask sensitive fields dynamically for the output.
Data Masking (MS Presidio)A policy can be enabled to mask sensitive fields dynamically for the output.
Credentials OffloadThe user authenticates via SSO instead of using SSH credentials.

Configuration

NameTypeRequiredDescription
HOSTenv-varyesThe IP or hostname of the SSH server
PORTenv-varnoThe port of the SSH server, default to 22
USERenv-varyesThe username of the Linux server
PASSenv-varnoThe credentials of the username if password authentication is enabled in the SSH server.
AUTHORIZED_SERVER_KEYSenv-varnoThe private key of the user that corresponds to the public key at $HOME/<user>/.ssh/authorized_keys

Connection Setup

# ssh server must enable password based authentication
hoop admin create conn myremote-server -a <agent> --overwrite \
    --type application/ssh \
    -e HOST=10.20.30.40 \
    -e USER=root \
    -e PASS=myrootpasswd

# ssh server must enable public key authentication
hoop admin create conn myremote-server -a <agent> --overwrite \
    --type application/ssh \
    -e HOST=10.20.30.40 \
    -e USER=root \
    -e AUTHORIZED_SERVER_KEYS=file:///path/to/your/private/key
In upcoming releases, we plan to automate the management of users, keys, and passwords on the remote server. Additionally, our roadmap includes adding a UI for managing such type of connections.

How to Use it

To connect automatically, it will listen to a random port and use your local ssh client to connect it. 
hoop connect myremote-server
In the listen mode, it will listen for connections on the specified port when using the --port flag. 
hoop connect myremote-server --port 2222
Connect with your local SSH client using another terminal window: 
ssh -p 2222 localhost

SSH Hosts Key

To prevent fingerprint issues when connecting with the local SSH client server, add the client host key environment variable during gateway setup. The key must be in PKCS#8 format and encoded as base64. You can generate a key with openssl utility: 
openssl genpkey -algorithm RSA -out ssh_host_hoop_key.pem \
  -pkeyopt rsa_keygen_bits:4096
base64 -i ssh_host_hoop_key.pem
  • SSH_CLIENT_HOST_KEY=<base64-encoded-key>
To troubleshoot the SSH connection with hosts keys, use the --debug flag when running the hoop connect command. This will provide detailed information about the connection process, including any issues related to parsing the host key.
For more details, refer to the environment variables documentation.

Known Issues

Warp Terminal

When using Warp Terminal, you might encounter issues due to its unique handling of SSH connections. To disable it, set this option in your bash profile or your current shell session 
export WARP_USE_SSH_WRAPPER=0