Project

General

Profile

Task #7601

Setup an SSH jump host

Added by Nico Schottelius over 1 year ago. Updated 6 months ago.

Status:
Seen
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
01/13/2020
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

  • Authenticated against our ldap
  • Allows user to connect to our IPv6 networks

The ways for users to use it:

  • via ProxyCommand (some might be able to use that)

I've setup this some time ago and it basically needs a restriction on not having a shell.
Ping me before starting on this - I've a 95% solution already.

History

#1

Updated by Timothée Floure over 1 year ago

  • Status changed from New to Seen
#2

Updated by Nico Schottelius over 1 year ago

Proxycommand w/ windows exists in putty and usually uses plink - more details soon.

#3

Updated by Timothée Floure about 1 year ago

Nico Schottelius please dump anything you want to say on the subject on this issue. I'll do without next time I go over this issue :-)

#4

Updated by Nico Schottelius about 1 year ago

Very easy:

  • ssh config ("MatchUser != root") disallowing all commands
  • configuring the OS or PAM to authenticate against ldap (subtree of dc=ungleich,dc=ch)
  • Basically disallowing shell
  • nft rules to allow to jump to 2a0a:e5c0::/29 and 2a09:2940::/29

So from the outside/black box test:

  • ssh -w in ~/.ssh/config with our jump host should work
  • ssh user@jumphost should not work / close the shell
#5

Updated by Timothée Floure 6 months ago

  • Assignee deleted (Timothée Floure)

Also available in: Atom PDF