Skip to content

feat: Support per-jump-host SSH private key configuration #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
inureyes merged 1 commit into from
Jan 28, 2026
Merged

feat: Support per-jump-host SSH private key configuration #169

inureyes merged 1 commit into from
Jan 28, 2026

Conversation

@inureyes
Copy link
Member

@inureyes inureyes commented Jan 28, 2026

Summary

Implements #167: Support per-jump-host SSH private key configuration in config.yaml

This PR adds the ability to configure separate SSH keys for jump hosts, independent of destination node keys. Users can now specify different keys for bastion hosts versus internal nodes, addressing environments where:

  • Jump/bastion hosts use different keys than internal destination nodes
  • Security policies require separate keys for gateway and target access
  • Multi-hop chains require different keys at each hop

Changes

Core Implementation

  • JumpHost struct: Added ssh_key: Option<String> field
  • JumpHostConfig enum: Created #[serde(untagged)] enum supporting both:
    • Simple(String): Legacy format "user@host:port"
    • Detailed: Structured format with host, user, port, ssh_key fields
  • Config resolver: Added get_jump_host_with_key() methods to return both connection string and ssh_key
  • Auth priority: Updated determine_auth_method() to prioritize jump host's own ssh_key over cluster key

Configuration Format

Legacy string format (backward compatible):

jump_host: jumpuser@bastion.example.com

New structured format with dedicated key:

jump_host:
  host: bastion.example.com
  user: jumpuser
  port: 22
  ssh_key: ~/.ssh/jump_host_key

SSH Key Priority Order

  1. Jump host's own ssh_key field (from structured config)
  2. Cluster/defaults ssh_key (fallback)
  3. SSH agent (if enabled and available)
  4. Default key files (~/.ssh/id_*)

Testing

New Tests

  • tests/jump_host_config_test.rs: 13 new tests for config parsing
    • Simple vs detailed format deserialization
    • Per-node jump host override with keys
    • Environment variable expansion
    • Backward compatibility verification
  • src/jump/chain/auth.rs: 2 new auth priority tests
    • Jump host key takes priority over cluster key
    • Falls back to cluster key when jump host has no key

Test Results

  • All 346 tests passing (20 new tests added)
  • Zero compilation warnings
  • Full backward compatibility maintained

Documentation

  • Updated example-config.yaml with both legacy and structured format examples
  • Updated docs/architecture/ssh-jump-hosts.md with implementation details
  • Added comprehensive inline documentation

Backward Compatibility

✅ All existing configurations continue to work without changes
✅ String format jump_host: "user@host:port" fully supported
✅ Multi-hop chains work with mixed formats
✅ No breaking changes to API or behavior

Example Use Case

clusters:
  secure:
    nodes:
      - host: db.internal
    user: dbadmin
    ssh_key: ~/.ssh/db_admin_key  # For database access
    jump_host:
      host: bastion.example.com
      user: bastion_user
      ssh_key: ~/.ssh/bastion_key  # Separate key for bastion

Checklist

  • JumpHost struct has ssh_key field
  • Config supports structured jump_host with host, user, port, ssh_key
  • Config supports legacy string format
  • Serde untagged enum correctly deserializes both formats
  • determine_auth_method uses jump host's ssh_key when provided
  • Per-node jump_host structured format works
  • Global defaults jump_host structured format works
  • Cluster-level jump_host structured format works
  • Environment variable expansion works in jump host ssh_key paths
  • example-config.yaml includes examples of new syntax
  • Existing tests continue to pass
  • New unit tests cover structured jump_host deserialization
  • New unit tests cover per-jump-host key path resolution

Related Issues

Closes #167

@inureyes
feat: Support per-jump-host SSH private key configuration
6e39056 
Add support for configuring separate SSH keys for jump hosts independent
of destination node keys. Jump hosts can now use structured YAML format
with optional ssh_key field while maintaining backward compatibility with
string format.

Key changes:
- Add ssh_key field to JumpHost struct
- Create JumpHostConfig enum supporting Simple(String) and Detailed formats
- Update config resolver with get_jump_host_with_key methods
- Implement SSH key priority: jump host key > cluster key > agent > defaults
- Add comprehensive tests for config parsing and auth priority
- Update documentation and example config
@inureyes inureyes merged commit 10d377f into main Jan 28, 2026
1 of 2 checks passed
@inureyes inureyes deleted the feature/issue-167-per-jump-host-ssh-key branch January 28, 2026 05:14
@inureyes inureyes self-assigned this Jan 28, 2026
@inureyes inureyes added priority:medium Medium priority issue status:done Completed type:enhancement New feature or request labels Jan 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@inureyes inureyes

Labels

priority:medium Medium priority issue status:done Completed type:enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support per-jump-host SSH private key configuration in config.yaml

2 participants

@inureyes