ssh-keygen -t ed25519 -f bastion -C "" -N ""
Explanation: this generates two files, bastion and bastion.pub. bastion is your private key... do not share this file and protect it as you would your password. bastion.pub is the public key and this file is not sensitive. This is what you will place on other machines to allow you to ssh in using your private key.
cat ./bastion.pub | ssh [email protected] "umask 077 && mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
(Authenticate via password when prompted.)
Explanation: This chain of commands copies your public key in bastion.pub from your local machine to the remote bastion host. It places the file in a folder .ssh/ in your home directory on the bastion host, in a file called authorized_keys. This file contains one or more public keys. Each public key has a corresponding private key, and possession of that private key will allow someone to log in to that machine as you.
mv bastion ~/.ssh/
chmod 600 ~/.ssh/bastion
Explanation: This moves the newly-generated private key into the .ssh/ directory in your home directory. It also sets the permissions to owner read/write.
host bastion
user joe.bob
hostname bastion.example.org
DynamicForward 9996
IdentityFile ~/.ssh/bastion
(Create the file if it doesn't exist.)
Explanation: This sets up a host shortcut that tells ssh to use a certain private key to authenticate with the bastion host, and to automatically set up dynamic port forwarding for port localhost:9996.
ssh bastion
Explanation: bastion is the short name for this connection that we specified in the ~/.ssh/config file.
You should be connected without being prompted for a password.
Traffic to localhost:9996 will be dynamically forwarded through the bastion.