Actions
Task #7601
closedSetup an SSH jump host
Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
01/13/2020
Due date:
% Done:
0%
Estimated time:
PM Check date:
Description
- Authenticated against our ldap
- Allows user to connect to our IPv6 networks
The ways for users to use it:
- via ProxyCommand (some might be able to use that)
I've setup this some time ago and it basically needs a restriction on not having a shell.
Ping me before starting on this - I've a 95% solution already.
Updated by Timothée Floure almost 5 years ago
- Status changed from New to Seen
- I am familiar with LDAP-backed auth with nslcd.
- ProxyCommand is standard for SSH bastions, it is even available on windows with Putty: https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/sshaccess.html#putty-ssh-configuration
- What do you mean by 'some might be able to use that' ?
Updated by Nico Schottelius almost 5 years ago
Proxycommand w/ windows exists in putty and usually uses plink - more details soon.
Updated by Timothée Floure over 4 years ago
@Nico Schottelius please dump anything you want to say on the subject on this issue. I'll do without next time I go over this issue :-)
Updated by Nico Schottelius over 4 years ago
Very easy:
- ssh config ("MatchUser != root") disallowing all commands
- configuring the OS or PAM to authenticate against ldap (subtree of dc=ungleich,dc=ch)
- Basically disallowing shell
- nft rules to allow to jump to 2a0a:e5c0::/29 and 2a09:2940::/29
So from the outside/black box test:
- ssh -w in ~/.ssh/config with our jump host should work
- ssh user@jumphost should not work / close the shell
Updated by Timothée Floure almost 4 years ago
- Assignee deleted (
Timothée Floure)
Updated by Nico Schottelius about 2 years ago
- Status changed from Seen to Rejected
Not much requested - dropping it for the moment
Actions