Using SSH with an SSH bastion
One of the tasks of system administrators is to secure the machines
inside of their network. To do so you usually configure access lists
on your router to prevent access from the outside. If all the ports
are blocked the system administrators won't be able to connect to the
22 (ssh) to manage your machines. One solution would be to
close all the ports and let the port
22 open. After all ssh is known
to be secure. The second solution would be to leave the port
closed and have one bastion machine where you connect before
connecting to the servers inside of your network. This kind of
configuration provides several advantages:
- Easier to tighten the security on one machine than on multiple machines
- Provides logging and access control
- Easier to detect dictionary attachs
How to connect through a bastion
You have to connect to a machine inside of a network though a ssh bastion. Connections to the port 22 of all the machines inside of the network are blocked by a firewall, and are controlled by an ssh bastion. Without any special configuration you will need to first connect to the bastion, then to the target machine.
laptop> ssh bastion.example.com Last login: Thu Feb 9 06:58:43 2012 from c-98-227-107-68.hsd1.ca.comcast.net fred@bastion$ ssh server3.example.com Last login: Sat Feb 18 22:28:51 2012 from bastion.example.com
You can avoid this two step process by using the ssh option
laptop> ssh -o ProxyCommand='ssh -qa bastion.example.com \ -p "nc -w 3600 server3 22"' server3.us.archive.org Last login: Sat Feb 18 23:32:44 2012 from bastion.example.com server3>
Of course you don't want to type that command every time you wish to
connect to your servers. To make your life easyer you can add the
following lines to your
~/.ssh/config file, then you will be able to
connect directly to your target machine.
Host bastion.example.com ProxyCommand none Host *.example.com ProxyCommand ssh -q bastion.example.com "nc -w 3600 %h %p"
Now you can connect directly to the server using ssh without extra arguments or without having to connect to the bastion server.
laptop> ssh server3.example.com Last login: Sat Feb 18 23:38:14 2012 from bastion.example.com server3>
Changing the default port
To limit the number of robots trying dictionary attacks on port
you can configure your bastion to listen on a different port. Edit
your bastion sshd config file
/etc/ssh/sshd_config and add the
following configuration directive to set the port
27027 for example.
Then on your client you just have to add the same port option in the part of the configuration concerning your bastion.
Host bastion.example.com Port 27027 ProxyCommand none
Configuring access to different networks
If you manage several networks using different credentials, you will need to configure each access to the bastion with its user and identity key.
# configuration for example.com Host bastion.example.com port 27027 IdentityFile ~/.ssh/example_id_rsa User fred ProxyCommand none Host *.example.com ProxyCommand ssh -q bastion.example.com "nc -w 3600 %h %p" # configuration for mycompany.com Host gateway.mycompany.com port 27027 IdentityFile ~/.ssh/mycompany_id_rsa User fred ProxyCommand none Host *.mycompany.com ProxyCommand ssh -q gateway.mycompany.com "nc -w 3600 %h %p"
You also want to add the following options in your configuration file.
ServerAliveInterval 30 ForwardX11 yes ForwardX11Trusted yes ForwardAgent yes
If you are using X11 you will need to configure ssh to forward the X11
ports using the options
ServerAliveInterval is here to keep your connection to the
server alive. And the option
ForwardAgent will prevent ssh from
asking you for your password every time your connect to a machine.
Always or whenever you can use ssh keys. Keys are easy to create and you should have mutiple keys. You can distribute the public key for access. Your key should always be protected by a passphrase. Always protect your private key. Make a secure backup of your keys. You may need to have access to you keys.
Create a new key
ssh-keysgen -b 2048 -f ~/.ssh/id_homerouter_rsa
Copy the following lines into your
automatically start the
SSHAGENT=/usr/bin/ssh-agent SSHAGENTARGS="-s" if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then eval `$SSHAGENT $SSHAGENTARGS` trap "kill $SSH_AGENT_PID" 0 fi
When the agent is running you can identify yourself by adding the
identity into the
$ ssh-add ~/.ssh/id_homerouter_rsa Need passphrase for /home/mah/.ssh/id_dsa (email@example.com). Enter passphrase:
Once you are done remove your identity from the
$ ssh-add -d