In my experience, most companies solve this via a bastion model. One bastion host has a public ip address and is configured to only allow access using ProxyJump and then the user would access the target via `ssh -J bastion.exe.xyz undefined-behavior.exe.xyz`
Was this something that was considered and rejected? If so, why was it rejected for the more complicated dynamic proxy described?
crawshaw•1h ago
Hi, author here! Our first system used usernames:
ssh servername@exe.dev
We did not like stealing users for this.
I built jumpbox support into our proxy on a branch to get -J working. I have not shipped it (but probably will in the future). The reason we did not use it for default access is we do not want our proxies to complicate the experience of using VMs. We want to be as close to “just a computer” as possible. Jumpboxes are not unheard of but they are still a relatively uncommon ssh feature.
It gets even nicer if you setup a CNAME for your box, then you can:
ssh myserver.com
...and get right into your exe.dev VM.
Another way of saying it: we are willing to take on a lot of complexity internally to remove a little bit of complexity for our users. This was my standard of operation at Tailscale and it is how I like to program.
unsnap_biceps•1h ago
Was this something that was considered and rejected? If so, why was it rejected for the more complicated dynamic proxy described?
crawshaw•1h ago
I built jumpbox support into our proxy on a branch to get -J working. I have not shipped it (but probably will in the future). The reason we did not use it for default access is we do not want our proxies to complicate the experience of using VMs. We want to be as close to “just a computer” as possible. Jumpboxes are not unheard of but they are still a relatively uncommon ssh feature.
It gets even nicer if you setup a CNAME for your box, then you can:
...and get right into your exe.dev VM.Another way of saying it: we are willing to take on a lot of complexity internally to remove a little bit of complexity for our users. This was my standard of operation at Tailscale and it is how I like to program.