Project

General

Profile

Actions

Task #7601

closed

Setup an SSH jump host

Added by Nico Schottelius almost 5 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
01/13/2020
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

  • Authenticated against our ldap
  • Allows user to connect to our IPv6 networks

The ways for users to use it:

  • via ProxyCommand (some might be able to use that)

I've setup this some time ago and it basically needs a restriction on not having a shell.
Ping me before starting on this - I've a 95% solution already.

Actions #1

Updated by Timothée Floure almost 5 years ago

  • Status changed from New to Seen
Actions #2

Updated by Nico Schottelius almost 5 years ago

Proxycommand w/ windows exists in putty and usually uses plink - more details soon.

Actions #3

Updated by Timothée Floure over 4 years ago

@Nico Schottelius please dump anything you want to say on the subject on this issue. I'll do without next time I go over this issue :-)

Actions #4

Updated by Nico Schottelius over 4 years ago

Very easy:

  • ssh config ("MatchUser != root") disallowing all commands
  • configuring the OS or PAM to authenticate against ldap (subtree of dc=ungleich,dc=ch)
  • Basically disallowing shell
  • nft rules to allow to jump to 2a0a:e5c0::/29 and 2a09:2940::/29

So from the outside/black box test:

  • ssh -w in ~/.ssh/config with our jump host should work
  • ssh user@jumphost should not work / close the shell
Actions #5

Updated by Timothée Floure almost 4 years ago

  • Assignee deleted (Timothée Floure)
Actions #6

Updated by Nico Schottelius about 2 years ago

  • Status changed from Seen to Rejected

Not much requested - dropping it for the moment

Actions

Also available in: Atom PDF