Tuesday 26 November 2019

linux - Gateway Server Jump Bastion Host Local Setup


I want to ssh to a remote private host using an intermediate (bastion, jump, gateway) server. This command works fine:


ssh gateway ssh private

With this ~/.ssh/config setup:


Host gateway
  User gateway-user
  HostName XX.XX.XX.XX
  RequestTTY force

How can I implement this in my ~/.ssh/config? I've tried numerous iterations of ProxyCommand with no luck. I want to use the identity file located on gateway host to access private hosts. I want to be able to do:


ssh private

I am aware of the technique described here, but it requires my public key to be on all the private hosts, but I don't want that:


http://www.lorrin.org/blog/2014/01/10/one-liner-ssh-via-jump-box-using-proxycommand/



Answer



First, configure your ssh keys on the gateway so you can ssh to private. Then on your client, create a separate private/public key pair that you use to authenticate on the gateway. E.g. ssh-keygen -t rsa -f id_gateway.


Then on the gateway, use the command= syntax in your authorized_keys file. For example, your entry might look like this:


command="sh -c 'ssh private ${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa AAAAB3....

Search the sshd manpage for command="command" for more info. Be sure to add the id_gateway.pub key to this line. Then in your .ssh/config on your client, add an entry like this:


Host private
User gateway-user
Hostname xxx.xxx.xxx.xxx
IdentitiesOnly Yes
IdentityFile ~/.ssh/id_gateway

Now, from your client you should be able to ssh private and get directly in. This even works for scp and sftp.


Extra Credit


If you want to use this for multiple servers, but only want to manage one public key on the gateway, you can use the following trick. sshd by default only allows certain variables to be received from the local environment. One of these is LC_PAPER which is rarely used for anything. So we can use it to pass the server's hostname as follows:


First, change the public key entry to


command="sh -c 'ssh $LC_PAPER ${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa AAAAB3...

Then on your client, add a function to your .bashrc file (or whatever shell you use) that looks like this:


ssh_proxy() {
  LC_PAPER=$1 /usr/bin/ssh $*
}

Then make an alias to if you want:


alias ssh=ssh_proxy

Finally, add Host sections to your .ssh/config like the one shown above. for example:


Host private2
User gateway-user
Hostname xxx.xxx.xxx.xxx
IdentitiesOnly Yes
IdentityFile ~/.ssh/id_gateway

Now you should be able to do ssh private and ssh private2 with just the one public key on the gateway.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...