Setup an SSH jump host
PM Check date:
- Authenticated against our ldap
- Allows user to connect to our IPv6 networks
The ways for users to use it:
- via ProxyCommand (some might be able to use that)
I've setup this some time ago and it basically needs a restriction on not having a shell.
Ping me before starting on this - I've a 95% solution already.
Updated by Timothée Floure about 2 years ago
- Status changed from New to Seen
- I am familiar with LDAP-backed auth with nslcd.
- ProxyCommand is standard for SSH bastions, it is even available on windows with Putty: https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/sshaccess.html#putty-ssh-configuration
- What do you mean by 'some might be able to use that' ?
Updated by Nico Schottelius over 1 year ago
- ssh config ("MatchUser != root") disallowing all commands
- configuring the OS or PAM to authenticate against ldap (subtree of dc=ungleich,dc=ch)
- Basically disallowing shell
- nft rules to allow to jump to 2a0a:e5c0::/29 and 2a09:2940::/29
So from the outside/black box test:
- ssh -w in ~/.ssh/config with our jump host should work
- ssh user@jumphost should not work / close the shell