[this is a technical blog post, but easy to follow]
recently I had to setup and present my idea of a ssh bastion host. You may have already heard this as jump host or a security ssh hoping station or ssh gateway or even something else.
The main concept
Disclaimer: This is just a proof of concept (PoC). May need a few adjustments.
The destination VM may be on another VPC, perhaps it does not have a public DNS or even a public IP. Think of this VM as not accessible. Only the ssh bastion server can reach this VM. So we need to first reach the bastion.
To begin with, I will share my initial sshd_config to get an idea of my current ssh setup
AcceptEnv LANG LC_* ChallengeResponseAuthentication no Compression no MaxSessions 3 PasswordAuthentication no PermitRootLogin no Port 12345 PrintMotd no Subsystem sftp /usr/lib/openssh/sftp-server UseDNS no UsePAM yes X11Forwarding no AllowUsers ebal
- I only allow, user ebal to connect via ssh.
- I do not allow the root user to login via ssh.
- I use ssh keys instead of passwords.
This configuration is almost identical to both VMs
- bastion (the name of the VM that acts as a bastion server)
- VM (the name of the destination VM that is behind a DMZ/firewall)
I am using the ssh config file to have an easier user experience when using ssh
Host bastion Hostname 127.71.16.12 Port 12345 IdentityFile ~/.ssh/id_ed25519.vm Host vm Hostname 126.96.36.199 Port 23456 Host * User ebal ServerAliveInterval 300 ServerAliveCountMax 10 ConnectTimeout=60
Create a new user to test this
Let us create a new user for testing.
$ sudo groupadd ebal_test $ sudo useradd -g ebal_test -m ebal_test $ id ebal_test uid=1000(ebal_test) gid=1000(ebal_test) groups=1000(ebal_test)
Copy .ssh directory from current user (<== lazy sysadmin)
$ sudo cp -ravx /home/ebal/.ssh/ /home/ebal_test/ $ sudo chown -R ebal_test:ebal_test /home/ebal_test/.ssh $ sudo ls -la ~ebal_test/.ssh/ total 12 drwxr-x---. 2 ebal_test ebal_test 4096 Sep 20 2019 . drwx------. 3 ebal_test ebal_test 4096 Jun 23 15:56 .. -r--r-----. 1 ebal_test ebal_test 181 Sep 20 2019 authorized_keys $ sudo ls -ld ~ebal_test/.ssh/ drwxr-x---. 2 ebal_test ebal_test 4096 Sep 20 2019 /home/ebal_test/.ssh/
bastion sshd config
Edit the ssh daemon configuration file to append the below entries
AllowUsers ebal ebal_test Match User ebal_test AllowAgentForwarding no AllowTcpForwarding yes X11Forwarding no PermitTunnel no GatewayPorts no ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'
Don’t forget to restart sshd
systemctl restart sshd
As you have seen above, I now allow two (2) users to access the ssh daemon (AllowUsers). This can also work with AllowGroups
Let’s try to connect to this bastion VM
$ ssh bastion -l ebal_test uptime This account can only be used for ProxyJump (ssh -J)
$ ssh bastion -l ebal_test This account can only be used for ProxyJump (ssh -J) Connection to 127.71.16.12 closed.
We can not login into this machine.
Let’s try with our personal user
$ ssh bastion -l ebal uptime 18:49:14 up 3 days, 9:14, 0 users, load average: 0.00, 0.00, 0.00
Let’s try from windows (mobaxterm)
mobaxterm is putty on steroids! There is also a portable version, so there is no need of installation. You can just download and extract it.
Now it is time to test our access to the destination VM
$ ssh VM ssh: connect to host 188.8.131.52 port 23456: Connection refused
$ ssh -J ebal_test@bastion ebal@vm uptime 19:07:25 up 22:24, 2 users, load average: 0.00, 0.01, 0.00
$ ssh -J ebal_test@bastion ebal@vm Last login: Tue Jun 23 19:05:29 2020 from 184.108.40.206 ebal@vm:~$ ebal@vm:~$ exit logout
Using this command
ssh -J ebal_test@bastion ebal@vm
- is telling the ssh client command to use the ProxyJump feature.
- Using the user ebal_test on bastion machine and
- connect with the user ebal on vm.
So we can have different users!
Now, it is time to put everything under our
Host bastion Hostname 127.71.16.12 Port 12345 User ebal_test IdentityFile ~/.ssh/id_ed25519.vm Host vm Hostname 220.127.116.11 ProxyJump bastion User ebal Port 23456
and try again
$ ssh vm uptime 19:17:19 up 22:33, 1 user, load average: 0.22, 0.11, 0.03
mobaxterm with bastion