A built in solutions to implement a bastion host is the ProxyCommand command of OpenSSH. The proxy command tells the
ssh client how to connect to the ssh server.
Setting up ProxyCommand is straight forward and requires an SSH server exposed to the internet (the bastion host).
An ssh server exposed to the internet should never, ever have other authentication means beside public key authentication enabled. Not only is this much more secure, it also allows a fine grained access control via
The users on the bastion host have the sole responsibility to execute netcat (
nc) to the backend systems.
These very restricted permissions of users allows the usage of a technical user account on the bastion host. Using a single, restricted user has the advantage, that this user can be locked down very easy, e.g. by creating a changeroot with only netcat installed.
The example implementation is a script on the bastion host that is run as ssh forced command. Operators connect to backend systems like this:
# ~/.ssh/config Host app-server.proxy User admin ProxyCommand ssh -q -l sshgw bastion.example.org "nc app-server:22" Host db.proxy User admin ProxyCommand ssh -q -l sshgw bastion.example.org "nc db-server:22"
would ssh tobastion.example.org`. There it would execute netcat, and then try to connect from the client, through the ssh to bastion host, through the netcat pipe and to the db-server to establish the final ssh connection.
ProxyCommand can best be used by implementing a
forced_command script on the bastion host.
Forced Command Script on Bastion
All proxy commands are executed by a single user (sshgw). This user has the following
# ~sshgw/.ssh/authorized_keys no-port-forwarding,no-pty,no-X11-forwarding,command="/opt/sshgw/sshgw alice" ssh-rsa AAAAB...1234== Alice, Laptop key no-port-forwarding,no-pty,no-X11-forwarding,command="/opt/sshgw/sshgw alice" ssh-rsa AAAAB...5678== Alice, Workstation key no-port-forwarding,no-pty,no-X11-forwarding,command="/opt/sshgw/sshgw bob" ssh-rsa AAAAB...abcd== Bob, Workstation key
Note that alice has two public keys that allow her to log in.
This is /opt/sshgw/sshgw
- Executable by user sshgw
- $1 : Name of the user. This is passed from the forced command in authorized_keys
WORK IN PROGRESS