Typically SSH creates a new tcp session for every time you connect to a remote host. But there is a feature of ssh that allows connections to reuse an existing connection using a socket – which is called multiplexing.
Obviously this is only really useful if you are connecting via the same host, you can multiplex to different locations.
Why is this useful?
If I already have a socks connection open to my office gateway I don’t need to open a new TCP connection to pass traffic inside of the office network. Ok, you’re still not sold on the idea? Well we’re using a pretty robust authentication with multi-factor authentication, private keys and passwords to get in via the gateway. This would mean that for every connection I would have to go through that authentication each time. Add to that
fail2ban and you get it wrong and your IP is blocked for 90 minutes.
With a multiplexed connection I authenticate ONCE and my subsequent connections go through that already authenticated session.
If you look at my
socks.sh script in SSH and SOCKS, you’ll see it already creates a socket
~/.ssh/jump.socket. All I need to do to use that socket is amend my
~/.ssh/config slightly to tell all of my connections to use it if it exists, or create it automatically if it doesn’t.
This is where we use
Host jump-host HostName gateway.domain.tld ForwardAgent yes ControlMaster auto ControlPersist 1 ControlPath ~/.ssh/jump.socket Compression yes Host *.domain.tld system1 system2 HostName %h ProxyJump jump-host
If I connect to anything in my wildcard
*.domain.tld it will use the
jump-host, which will automatically create a socket file, that will in turn be used by any other subsequent connection.
You can also add short names to the Host line so not just a wildcard to the FQDN, but a shorter name will also work.