Setting Up Jumphost
Jumphost allows to set-up a connection to the server which can be used as a proxy server for discovery purposes. IP Fabric uses an SSH tunnel established by python on the client and the server side.
The user used for Jumphost connection must have access to jumphosts
shell and must be able to run
We successfully tested IP Fabric against jumphosts with the following python versions:
|Jumphost Python Version|
Tested vs. Supported
tested – Python version was successfully tested on a jumphost however it is not officially supported by the underlying SSH tunnel project.
supported – Python version was successfully tested on a jumphost and it is officially supported by the underlying SSH tunnel project.
We strongly recommend using the supported Python versions in your production environment.
Please bear in mind, that once the connection is established, it will be enabled permanently, until disabled or removed! If there are any network issues, IP Fabric software will try to establish a connection periodically.
In the Discovery Seeds settings, at least one IP address behind the Jumphost has to be provided as a starting point.
Adding New Jumphost
Fill in all necessary data:
- Label - the name for configuration (mandatory)
- Jumphost Address - IP address of FQDN name (mandatory)
IPv4 subnets - subnet in CIDR representation, allows adding more than open, separated with spaces (mandatory)
If you use
0.0.0.0/0or another subnet that includes the IP address of IP Fabric, please make sure to add IP Fabric IP address/subnet to “Exclude IPv4 subnet”. Otherwise, the connection to IP Fabric will be lost and you will not be able to access IP Fabric GUI/CLI and it will require manual intervention to fix.
Also if you have multiple jumphosts that have IP address that is part of include list of another jumphost, add the IP addresses in all the other jumphosts exclude lists.
- Exclude IPv4 subnets - subnet to exclude in CIDR representation, allows to add more than open, separated with spaces (optional)
- Login type
- Use credentials - required to provide username and password
- Use SSH keys - if you copied the SSH public key to the proxy server, it won’t require providing a password (please jump to the SSH key configuration section)
- Username - Username for authentication (mandatory)
Password - password for authentication (mandatory if ‘Use credentials’ is used) i.e., refer to the picture below.
Username and Password character restrictions
Username must match the following
Password must match the following
- Click the green Add button to save the configuration.
SSH Key Configuration
To avoid using a password for authentication, you can add the SSH key to the proxy server.
Copy SSH Key Manually
Download the SSH key from Jumphost settings:
Insert content of the
jumphost-public-key.pubfile to the
authorized_keysfile of the user that will authenticate with Jumphost server. Please follow official documentation at https://www.ssh.com/academy/ssh/authorized-key.
You can also use
ssh-copy-idon your machine to deploy the key (see below).
After the key is transferred to the jumphost server, you can use the
Use SSH keysoption instead of
Log in to the IP Fabric CLI using the
Change to user
sudo su - autoboss.
ssh-copy-idwith specified identity file replacing
<jumphost-user>with the jumphost user and
<jumphost-ip>with the IP or FQDN of the jumphost server:
ssh-copy-id -i ~/.ssh/ipf-jumphost.pub <jumphost-user>@<jumphost-ip>
- When prompted for a password, use the jumphost user’s password.
To test, connect to the jumphost server via SSH with:
If the key has been copied you can use the
Use SSH keysoption instead of
Disabling Jumphost Connection
Remove Jumphost Configuration
Jumphost settingstable, select the server you want to remove.
(If SSH key authentication was enabled) Delete inserted IP Fabric public key from the
authorized_keysfile on the jumphost server added in the SSH Key Configuration.
Jumphost Known Issues
Only TCP connections work through the jumphost.
Traceroute with ICMP is not supported so the discovery process might not be able to get over the unreachable parts of the network (for example sites separated by the provider’s network).
Because of this, you will have to add at least one IP address of a network device from each site to the Discovery Seeds settings.
IP Fabric Is Not Accessible After Saving Jumphost Configuration
If you can’t open the main GUI or ssh to the IP Fabric machine, the subnet/IP address of the IP Fabric machine was most likely included in the jumphost configuration.
To fix this issue, you have to have a direct access to the virtual machine CLI from a hypervisor, the password for
osadmin user account, and do the following:
Log in to the virtual machine CLI with the
Filter out the jumphost services with
systemctl | grep jumphostcommand. Each configured jumphost has its own ID:
Stop the jumphost service with the command
sudo systemctl stop firstname.lastname@example.org, confirm the
Check that the jumphost process is inactive with
systemctl status email@example.com:
IP Fabric GUI should be accessible by now.
Log in to the IP Fabric main GUI with your regular account and go to Settings → Discovery & Snapshots → Global Configuration → Jumphost.
Make a screenshot or copy the settings of the old jumphost and then delete or edit the jumphost settings.
Put IP address/subnet of the IP Fabric machine to the exclude IPv4 subnets or edit the IPv4 subnets so it does not contain the IP address of IP Fabric:
If IP Fabric becomes inaccessible via GUI or SSH again, repeat the previous steps and again edit the jumphost configuration.