Before you start

To get the most out of this guide, you will need to:

Features

The table below outlines the features available for this type of connection.
  • Native - This refers to when a database client connects through a specific protocol, such as an IDE or client libraries through hoop connect <connection-name>.
  • One Off - This term refers to accessing this connection from hoop web panel.
FeatureNativeOne OffDescription
TLS Termination ProxyThe local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted.
AuditThe gateway stores and audits the queries being issued by the client.
Data Masking (Google DLP)A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Data Masking (MS Presidio)A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Credentials OffloadThe user authenticates via SSO instead of using database credentials.
Interactive AccessInteractive access is available when using an IDE or connecting via a terminal to perform analysis exploration.

Configuration

NameTypeRequiredDescription
HOSTenv-varyesThe IP or hostname of the SSH server
PORTenv-varnoThe port of the SSH server, default to 22
USERenv-varyesThe username of the Linux server
PASSenv-varnoThe credentials of the username if password authentication is enabled in the SSH server.
AUTHORIZED_SERVER_KEYStextareanoThe private key of the user that corresponds to the public key at $HOME/<user>/.ssh/authorized_keys

Connection Setup

# ssh server must enable password based authentication
hoop admin create conn myremote-server -a <agent> --overwrite \
    --type application/ssh \
    -e HOST=10.20.30.40 \
    -e USER=root \
    -e PASS=myrootpasswd

# ssh server must enable public key authentication
hoop admin create conn myremote-server -a <agent> --overwrite \
    --type application/ssh \
    -e HOST=10.20.30.40 \
    -e USER=root \
    -e AUTHORIZED_SERVER_KEYS=file:///path/to/your/private/key

How to Use it

To connect automatically, it will listen to a random port and use your local ssh client to connect it. 
hoop connect myremote-server
In the listen mode, it will listen for connections on the specified port when using the --port flag. 
hoop connect myremote-server --port 2222
Connect with your local SSH client using another terminal window: 
ssh -p 2222 localhost

SSH Hosts Key

To prevent fingerprint issues when connecting with the local SSH client server, add the client host key environment variable during gateway setup. The key must be in PKCS#8 format and encoded as base64. You can generate a key with openssl utility: 
openssl genpkey -algorithm RSA -out ssh_host_hoop_key.pem \
  -pkeyopt rsa_keygen_bits:4096
base64 -i ssh_host_hoop_key.pem
  • SSH_CLIENT_HOST_KEY=<base64-encoded-key>
To troubleshoot the SSH connection with hosts keys, use the --debug flag when running the hoop connect command. This will provide detailed information about the connection process, including any issues related to parsing the host key.
For more details, refer to the environment variables documentation.

Known Issues

Warp Terminal

When using Warp Terminal, you might encounter issues due to its unique handling of SSH connections. To disable it, set this option in your bash profile or your current shell session 
export WARP_USE_SSH_WRAPPER=0