SSH Tunnel Server — User Guide

Overview

What is the SSH Tunnel Server?

The SSH Tunnel Server (ts-sap-hana-s4-ssh-tunnel) is a lightweight Debian Linux VM hosted on Google Cloud Platform that serves as a secure jump host (bastion host) for accessing the SAP landscape from external networks.

The SAP servers (S/4HANA, ECC Oracle, SQL Server, HVR Hub) reside on internal GCP networks without external IP addresses. This tunnel server has both an internal IP (for reaching SAP systems) and an external IP (for accepting connections from the internet), bridging the two.

Primary use cases: SSH jump host for remote access, port forwarding for SAP GUI and HANA Studio, secure file transfers, and automated connectivity checks from the web server (sapidesecc8).

System Info

Server Details

Property	Value
Hostname	`ts-sap-hana-s4-ssh-tunnel`
OS	Debian GNU/Linux 12 (bookworm)
Kernel	`6.1.0-44-cloud-amd64`
CPUs	2 vCPUs
Memory	975 MiB
Disk	9.7 GB (39% used)
Internal IP	`10.142.0.37`
External IP	`35.229.110.30` (static)
GCP Zone	`us-east1-b`
GCP Instance	`ts-sap-hana-s4-ssh-tunnel`
GCP Project	`internal-sales`

Network Topology

Server	Internal IP	Reachable from Tunnel	Description
`sap-sql-ides`	`10.128.0.51`	Yes	SAP ECC 6.0 on SQL Server (Windows)
`hvrhub`	`10.128.15.240`	Yes	Fivetran HVR Hub
`sapidess4`	`10.128.15.210`	No (different subnet)	SAP S/4HANA 2023
`sapidesecc8`	`10.128.15.220`	No (different subnet)	SAP ECC 6.0 EHP8 on Oracle

Note: The tunnel server is on the 10.142.x.x subnet while sapidess4 and sapidesecc8 are on 10.128.15.x. Direct ICMP ping is not possible between these subnets, but SSH forwarding through GCP VPC routing works for the reachable hosts.

SSH Service

Service Details

Property	Value
Service	`ssh.service` (OpenBSD Secure Shell server)
Daemon	`sshd`
Port	22 (TCP)
Config file	`/etc/ssh/sshd_config`
Status	enabled (starts on boot)
Protocol	SSH-2

Configuration

Setting	Value	Description
`PermitRootLogin`	`prohibit-password`	Root login via SSH key only (no password)
`PasswordAuthentication`	`yes`	Password auth enabled globally
`ChallengeResponseAuthentication`	`yes`	Keyboard-interactive auth enabled
`UsePAM`	`yes`	PAM authentication enabled
`X11Forwarding`	`yes`	X11 display forwarding allowed
`AllowTcpForwarding`	`yes` (default)	TCP port forwarding allowed
`GatewayPorts`	`no` (default)	Remote port forwarding binds to localhost only
`ClientAliveInterval`	`120`	Keep-alive ping every 120 seconds

Match block: The fivetran user has an explicit PasswordAuthentication yes match rule, ensuring password login works for this user even if the global setting changes.

Start / Stop / Restart

The cockpit provides Start, Stop, and Restart buttons for the SSH service.

Start — starts the SSH daemon; no password required
Stop — stops the SSH daemon; requires master password. All active SSH sessions will be terminated.
Restart — restarts the SSH daemon; requires master password. Active sessions will be briefly interrupted.

Command line (from sapidesecc8):

# Check status
ssh root@sapidesecc8 "ssh root@10.142.0.37 'systemctl status ssh'"

# Start SSH service
ssh root@sapidesecc8 "ssh root@10.142.0.37 'systemctl start ssh'"

# Stop SSH service (WARNING: all sessions will be terminated)
ssh root@sapidesecc8 "ssh root@10.142.0.37 'systemctl stop ssh'"

# Restart SSH service
ssh root@sapidesecc8 "ssh root@10.142.0.37 'systemctl restart ssh'"

# Enable SSH on boot
ssh root@sapidesecc8 "ssh root@10.142.0.37 'systemctl enable ssh'"

If already logged in on the tunnel server:

sudo systemctl status ssh
sudo systemctl start ssh
sudo systemctl stop ssh
sudo systemctl restart ssh

Warning: Stopping the SSH service will prevent all remote access to the server. The only way to recover is through the GCP Console serial console or by restarting the VM from GCP.

Access

User Accounts

User	Auth Method	Shell	Description
`root`	SSH key only	`/bin/bash`	System administrator (from sapidesecc8 only)
`fivetran`	SSH key + password	`/bin/sh`	Fivetran service account — used for tunneling
`antonio_carbone`	SSH key (GCP OS Login)	`/bin/bash`	Personal account via Google Cloud IAP

Credentials

User	Password	Vault Key
`root`	Key auth only (sapidesecc8’s key is authorized)	`ssh_tunnel_server`
`fivetran`	Stored in vault	`ssh_tunnel_server`

SSH button: The cockpit’s SSH button copies the fivetran password to clipboard and opens an ssh:// connection to fivetran@35.229.110.30.

Connection Methods

From your Mac (key-based, no password):

ssh fivetran@35.229.110.30

Via GCP Identity-Aware Proxy (IAP):

gcloud compute ssh ts-sap-hana-s4-ssh-tunnel --zone=us-east1-b --project=internal-sales

From sapidesecc8 (key-based, no password):

ssh root@10.142.0.37      # as root
ssh fivetran@10.142.0.37  # as fivetran

Tunneling

SSH Jump Host

Use the -J flag to jump through the tunnel server to reach internal SAP hosts:

# Jump to S/4HANA server via tunnel
ssh -J fivetran@35.229.110.30 root@sapidess4

# Jump to ECC Oracle server
ssh -J fivetran@35.229.110.30 root@sapidesecc8

ProxyJump: The -J flag (ProxyJump) establishes a transparent connection through the tunnel server. You authenticate to both the tunnel and the target host in sequence.

Port Forwarding

Forward local ports to internal SAP services through the tunnel:

Service	Command	Local Access
SAP GUI (S/4HANA)	`ssh -L 3200:sapidess4:3200 fivetran@35.229.110.30`	`localhost:3200`
HANA Studio	`ssh -L 30015:sapidess4:30015 fivetran@35.229.110.30`	`localhost:30015`
SAP GUI (ECC Oracle)	`ssh -L 3201:sapidesecc8:3200 fivetran@35.229.110.30`	`localhost:3201`
SQL Server	`ssh -L 1433:10.128.0.51:1433 fivetran@35.229.110.30`	`localhost:1433`

Multiple tunnels in one command:

ssh -L 3200:sapidess4:3200 \
    -L 3201:sapidesecc8:3200 \
    -L 30015:sapidess4:30015 \
    fivetran@35.229.110.30

Key Management

Adding SSH Keys

The cockpit provides an Add SSH Public Key form that appends a public key to /home/fivetran/.ssh/authorized_keys on the tunnel server.

Paste any standard SSH public key (ssh-rsa, ssh-ed25519, or ecdsa)
The key is checked for duplicates — if the key body already exists, it won’t be added again
An added-by-claude comment is appended to keys added through the portal
Keys are added to the fivetran user only (not root)

API: POST /sap_skills/api/sshtunnel_add_key with body {"key": "ssh-rsa AAAA... user@host"}. The server SSHs as root to the tunnel server and modifies the authorized_keys file.

Authorized Keys Files

File	User	Description
`/home/fivetran/.ssh/authorized_keys`	fivetran	Fivetran service keys + keys added via portal
`/root/.ssh/authorized_keys`	root	sapidesecc8’s root key (for management)

Security

Firewall

Rule	Direction	Port	Source
`ssh-port22`	Ingress	TCP 22	`0.0.0.0/0` (all)

GCP Firewall: Port 22 is open from all sources. Security relies on SSH authentication (key + password). Consider restricting source IPs to known Fivetran office ranges for additional security.

Security Considerations

Root access: SSH key only (prohibit-password) — password login as root is impossible
OS updates: Debian 12 (bookworm) is current stable (upgraded 2026-04-14 from Debian 11 bullseye)
Unattended upgrades: The unattended-upgrades service is running for automatic security patches
ClientAliveInterval: Set to 120 seconds — idle sessions are kept alive to prevent disconnection
Monitoring: The web server (sapidesecc8) checks tunnel server reachability via the Management Cockpit

Troubleshooting

Common Issues

Issue	Fix
SSH service not responding	Use cockpit Start button, or GCP Console serial console: `systemctl start ssh`
Connection refused on port 22	Check GCP firewall rule `ssh-port22` exists; check `systemctl status ssh`
Permission denied (publickey)	Key not in `authorized_keys` — add via cockpit or manually
Password rejected	Verify `PasswordAuthentication yes` in sshd_config; verify user password with `passwd fivetran`
Cockpit shows “Connection error”	Tunnel server is down — check GCP Console for VM status, restart if needed
Tunnel hangs after idle	`ClientAliveInterval` should prevent this; add `ServerAliveInterval 60` to your local `~/.ssh/config`
Port forward not working	Verify target host is reachable from tunnel server: `ssh root@10.142.0.37 "ping -c1 TARGET_IP"`

Diagnostic Commands

# Check SSH service status
ssh root@sapidesecc8 "ssh root@10.142.0.37 'systemctl status ssh'"

# Check active sessions
ssh root@sapidesecc8 "ssh root@10.142.0.37 'who'"

# Check sshd config syntax
ssh root@sapidesecc8 "ssh root@10.142.0.37 'sshd -t && echo OK || echo FAILED'"

# Check auth log
ssh root@sapidesecc8 "ssh root@10.142.0.37 'tail -20 /var/log/auth.log'"

# Check disk space
ssh root@sapidesecc8 "ssh root@10.142.0.37 'df -h /'"

# Restart SSH after config change
ssh root@sapidesecc8 "ssh root@10.142.0.37 'systemctl restart ssh'"

Email Relay

SMTP Configuration

This server is configured to send email via smtp2go relay using Exim4.

Property	Value
MTA	Exim4 (Debian smarthost mode)
Relay	`mail.smtp2go.com::2525`
From Address	`sshtunnel@fivetran-internal-sales.com`
Auth	SASL via `/etc/exim4/passwd.client` (credentials in vault key `smtp2go`)
Config	`/etc/exim4/update-exim4.conf.conf`, `/etc/exim4/passwd.client`

Send a test email:

echo "Test" | mail -s "Test from sshtunnel" -a "From: sshtunnel@fivetran-internal-sales.com" recipient@email.com

Architecture

Cockpit API Endpoints

Endpoint	Method	Auth	Description
`/sap_skills/api/sshtunnel_hardware`	GET	None	OS, CPUs, memory, uptime
`/sap_skills/api/sshtunnel_disk`	GET	None	Disk space usage
`/sap_skills/api/sshtunnel_status`	GET	None	SSH reachability check
`/sap_skills/api/sshtunnel_sessions`	GET	None	Active SSH sessions (who)
`/sap_skills/api/sshtunnel_ssh_credential`	GET	None	Returns fivetran user/password from vault
`/sap_skills/api/sshtunnel_control`	POST	Master pwd (stop/restart)	Start/stop/restart SSH service
`/sap_skills/api/sshtunnel_add_key`	POST	None	Add public key to fivetran authorized_keys

How It Works

All cockpit operations are executed remotely from sapidesecc8. The web server (sapidesecc8) SSHs to the tunnel server (root@10.142.0.37) using key-based authentication and runs commands. The results are returned as JSON to the browser.

Component	Location	Description
Web server	`sapidesecc8`	`gcs_explorer_server.py` handles API requests
SSH tunnel server	`10.142.0.37`	Target of all remote commands
Cockpit page	`/usr/sap/sap_skills/docs/SAP_SSHTunnel.html`	Browser UI with JavaScript fetch calls
Guide page	`/usr/sap/sap_skills/docs/SAP_SSHTunnel_Guide.html`	This documentation page
Vault credentials	`/usr/sap/sap_skills/.vault.enc`	Encrypted vault key: `ssh_tunnel_server`