Using SSH with an SSH bastion

Posted by Fred C (W6BSD) on Jan 18 2012

One of the tasks of system administrators is to secure the machines inside of their network. To do so you usually configure access lists on your router to prevent access from the outside. If all the ports are blocked the system administrators won't be able to connect to the port 22 (ssh) to manage your machines. One solution would be to close all the ports and let the port 22 open. After all ssh is known to be secure. The second solution would be to leave the port 22 closed and have one bastion machine where you connect before connecting to the servers inside of your network. This kind of configuration provides several advantages:

  1. Easier to tighten the security on one machine than on multiple machines
  2. Provides logging and access control
  3. Easier to detect dictionary attachs

How to connect through a bastion

You have to connect to a machine inside of a network though a ssh bastion. Connections to the port 22 of all the machines inside of the network are blocked by a firewall, and are controlled by an ssh bastion. Without any special configuration you will need to first connect to the bastion, then to the target machine.

ssh bastion

laptop> ssh bastion.example.com
Last login: Thu Feb  9 06:58:43 2012 from c-98-227-107-68.hsd1.ca.comcast.net
fred@bastion$ ssh server3.example.com
Last login: Sat Feb 18 22:28:51 2012 from bastion.example.com

You can avoid this two step process by using the ssh option ProxyCommand

laptop> ssh -o ProxyCommand='ssh -qa bastion.example.com \
        -p "nc -w 3600 server3 22"' server3.us.archive.org
Last login: Sat Feb 18 23:32:44 2012 from bastion.example.com
server3>

Of course you don't want to type that command every time you wish to connect to your servers. To make your life easyer you can add the following lines to your ~/.ssh/config file, then you will be able to connect directly to your target machine.

Host bastion.example.com
  ProxyCommand none

Host *.example.com
  ProxyCommand ssh -q bastion.example.com "nc -w 3600 %h %p"

Now you can connect directly to the server using ssh without extra arguments or without having to connect to the bastion server.

laptop> ssh server3.example.com
Last login: Sat Feb 18 23:38:14 2012 from bastion.example.com
server3>

Changing the default port

To limit the number of robots trying dictionary attacks on port 22 you can configure your bastion to listen on a different port. Edit your bastion sshd config file /etc/ssh/sshd_config and add the following configuration directive to set the port 27027 for example.

Port 27027

Then on your client you just have to add the same port option in the part of the configuration concerning your bastion.

Host bastion.example.com
  Port 27027
  ProxyCommand none

Configuring access to different networks

If you manage several networks using different credentials, you will need to configure each access to the bastion with its user and identity key.

# configuration for example.com
Host bastion.example.com
  port 27027
  IdentityFile ~/.ssh/example_id_rsa
  User fred
  ProxyCommand none

Host *.example.com
  ProxyCommand ssh -q bastion.example.com "nc -w 3600 %h %p"

# configuration for mycompany.com
Host gateway.mycompany.com
  port 27027
  IdentityFile ~/.ssh/mycompany_id_rsa
  User fred
  ProxyCommand none

Host *.mycompany.com
  ProxyCommand ssh -q gateway.mycompany.com "nc -w 3600 %h %p"

You also want to add the following options in your configuration file.

ServerAliveInterval 30
ForwardX11 yes
ForwardX11Trusted yes
ForwardAgent yes

If you are using X11 you will need to configure ssh to forward the X11 ports using the options ForwardX11 and ForwardX11Trusted. The option ServerAliveInterval is here to keep your connection to the server alive. And the option ForwardAgent will prevent ssh from asking you for your password every time your connect to a machine.

Tips:

Always or whenever you can use ssh keys. Keys are easy to create and you should have mutiple keys. You can distribute the public key for access. Your key should always be protected by a passphrase. Always protect your private key. Make a secure backup of your keys. You may need to have access to you keys.

Create a new key

ssh-keysgen -b 2048 -f ~/.ssh/id_homerouter_rsa

Using ssh-agent

Copy the following lines into your .profile or .bash_profile to automatically start the ssh-agent.

SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
  eval `$SSHAGENT $SSHAGENTARGS`
  trap "kill $SSH_AGENT_PID" 0
fi

When the agent is running you can identify yourself by adding the identity into the ssh-agent.

$ ssh-add ~/.ssh/id_homerouter_rsa
Need passphrase for /home/mah/.ssh/id_dsa ([email protected]).
Enter passphrase:

Once you are done remove your identity from the ssh-agent.

$ ssh-add -d

More information on ssh can be found on the official OpenSSH server and in their FAQ.

 Sys Admin      OpenSSH