monkyz/linux_ssh_bastion

## linux_ssh_bastion
source article:
http://backdrift.org/transparent-proxy-with-ssh

Creating a transparent SSH tunnel through a bastion host using the ProxyCommand configuration parameter
Tags: linux, ssh, unix

Like most users out there (I think) my systems are usually configured to allow ssh connections from a small handfull of trusted hosts or a bastion host. This is decent security practice but is a total pain when you want to scp a file or grab the stdout of a command from a host outside the trusted area. Or perhaps you have a number of hosts on a private subnet and only one routable host to get in through. I was able to set up a method which allows for transparent access to a host while behind the scenes tunneling through a trusted bastion host involving some pretty minor adjustments to the .ssh/config file.

Here’s how it works:

A connection is established to the bastion host

+-------+            +--------------+
|  you  | ---ssh---> | bastion host |
+-------+            +--------------+
Bastion host runs netcat to establish a connction to the target server

+--------------+                +--------+
| bastion host | ----netcat---> | server |
+--------------+                +--------+
Your client then connects through the netcat tunnel and reaches the target server

+-----+                  +--------------+                +--------+
| you |                  | bastion host |                | server |
|     | ===ssh=over=netcat=tunnel======================> |        |
+-----+                  +--------------+                +--------+
So there are 3 basic steps:

1. Ssh to bastion host.
2. Run netcat command on bastion host.
3. Connect to netcat tunnel.

Here’s how it works with ssh:

#~/.ssh/config

Host superchunk.example.org
	ProxyCommand  ssh user@bastion.example.org nc %h %p
Above we tell ssh that when it establishes a connection to superchunk.example.org to do so using the stdin/stdout of the ProxyCommand as a transport. The ProxyCommand then tells the system to first ssh to our bastion host and open a netcat connection to host %h (hostname supplied to ssh) on port %p (port supplied to ssh).

The result is a connection as if you were connecting from a trusted host:

$ ssh superchunk.example.org
Password:
user@superchunk.example.org's password:
Last login: Wed Jun 25 12:05:47 2008 from 10.0.0.221
[user@superchunk ~]$
Now you may be wondering why it prompted me for two passwords. This is because we are effectively sshing into two systems one right after the other. This can be resolved through the use of pre-shared ssh keys or with more advanced methods such as kerberos ticket forwarding.

[ad#adsense-inline1]

-------------------------------------------------------------------------------------------------------
4 Responses to “Creating a transparent SSH tunnel through a bastion host using the ProxyCommand configuration parameter”
Dave Seleno Says:
August 12th, 2010 at 5:29 pm
This is an elegant solution, thank you for it.

Do you happen to know if there are any SFTP GUI clients for Linux or Mac which support all of the necessary options in ~/.ssh/config? It appears CyberDuck supports a few options, but not the ProxyCommand option.

[Reply]

brad Says:
September 22nd, 2010 at 12:54 am
why do you need netcat at all? ssh -L should be sufficient or not?

[Reply]

Delicious Bookmarks for July 27th through July 29th « Lâmôlabs Says:
July 29th, 2011 at 9:16 pm
[...] Creating a transparent SSH tunnel through a bastion host using the ProxyCommand configuration parame… – July 29th ( tags: ssh tunnel proxy proxycommand howto guide tutorial transparent ) [...]

David B Says:
November 8th, 2011 at 12:51 pm
OpenSSH 5.4 and above have netcat built in.

Just do “ProxyCommand ssh -W %h:%p user@bastion.example.org” instead.
	source article:
	http://backdrift.org/transparent-proxy-with-ssh

	Creating a transparent SSH tunnel through a bastion host using the ProxyCommand configuration parameter
	Tags: linux, ssh, unix

	Like most users out there (I think) my systems are usually configured to allow ssh connections from a small handfull of trusted hosts or a bastion host. This is decent security practice but is a total pain when you want to scp a file or grab the stdout of a command from a host outside the trusted area. Or perhaps you have a number of hosts on a private subnet and only one routable host to get in through. I was able to set up a method which allows for transparent access to a host while behind the scenes tunneling through a trusted bastion host involving some pretty minor adjustments to the .ssh/config file.

	Here’s how it works:

	A connection is established to the bastion host

	+-------+ +--------------+
	\| you \| ---ssh---> \| bastion host \|
	+-------+ +--------------+
	Bastion host runs netcat to establish a connction to the target server

	+--------------+ +--------+
	\| bastion host \| ----netcat---> \| server \|
	+--------------+ +--------+
	Your client then connects through the netcat tunnel and reaches the target server

	+-----+ +--------------+ +--------+
	\| you \| \| bastion host \| \| server \|
	\| \| ===ssh=over=netcat=tunnel======================> \| \|
	+-----+ +--------------+ +--------+
	So there are 3 basic steps:

	1. Ssh to bastion host.
	2. Run netcat command on bastion host.
	3. Connect to netcat tunnel.

	Here’s how it works with ssh:

	#~/.ssh/config

	Host superchunk.example.org
	ProxyCommand ssh user@bastion.example.org nc %h %p
	Above we tell ssh that when it establishes a connection to superchunk.example.org to do so using the stdin/stdout of the ProxyCommand as a transport. The ProxyCommand then tells the system to first ssh to our bastion host and open a netcat connection to host %h (hostname supplied to ssh) on port %p (port supplied to ssh).

	The result is a connection as if you were connecting from a trusted host:

	$ ssh superchunk.example.org
	Password:
	user@superchunk.example.org's password:
	Last login: Wed Jun 25 12:05:47 2008 from 10.0.0.221
	[user@superchunk ~]$
	Now you may be wondering why it prompted me for two passwords. This is because we are effectively sshing into two systems one right after the other. This can be resolved through the use of pre-shared ssh keys or with more advanced methods such as kerberos ticket forwarding.

	[ad#adsense-inline1]

	-------------------------------------------------------------------------------------------------------
	4 Responses to “Creating a transparent SSH tunnel through a bastion host using the ProxyCommand configuration parameter”
	Dave Seleno Says:
	August 12th, 2010 at 5:29 pm
	This is an elegant solution, thank you for it.

	Do you happen to know if there are any SFTP GUI clients for Linux or Mac which support all of the necessary options in ~/.ssh/config? It appears CyberDuck supports a few options, but not the ProxyCommand option.

	[Reply]

	brad Says:
	September 22nd, 2010 at 12:54 am
	why do you need netcat at all? ssh -L should be sufficient or not?

	[Reply]

	Delicious Bookmarks for July 27th through July 29th « Lâmôlabs Says:
	July 29th, 2011 at 9:16 pm
	[...] Creating a transparent SSH tunnel through a bastion host using the ProxyCommand configuration parame… – July 29th ( tags: ssh tunnel proxy proxycommand howto guide tutorial transparent ) [...]

	David B Says:
	November 8th, 2011 at 12:51 pm
	OpenSSH 5.4 and above have netcat built in.

	Just do “ProxyCommand ssh -W %h:%p user@bastion.example.org” instead.