Skip to content

Instantly share code, notes, and snippets.

@xandout

xandout/notes.md

Created May 1, 2020 12:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xandout/cdc8c8a79658412989f37778ca9a4f84 to your computer and use it in GitHub Desktop.
Save xandout/cdc8c8a79658412989f37778ca9a4f84 to your computer and use it in GitHub Desktop.
Download ZIP
SSH via Bastion
Raw
notes.md

Disclaimer

⚠️ This guide does NOT use individual SSH keys, which is recommended for security purposes. This guide also does not show the usage of password-protected keys, you should use password-protection.

Definitions

  • Bastion server: Sometimes called a "jump server", this server is reachable by your laptop. Sometimes the bastion server is protected by a VPN, sometimes not but should always have a firewall. This is essentially your front door. Always lock your doors.

  • SSH Agent: This is a program that runs on your laptop and keeps your SSH private keys loaded in memory. eval $(ssh-agent)

  • SSH Keys: These consist of 2 parts

    • Private key: This is the file with many lines of text, looks like a rectangle. This file should be protected and never exposed to the world. If this is ever comprimised, you should create new keys and dispose of the old one.

      • Example 
          -----BEGIN OPENSSH PRIVATE KEY-----
  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAd        zc2gtcn
  NhAAAAAwEAAQAAAgEAuh1zq5Vml7Npe4xQQX        +JQXpFV0Trd1IKgAyXzeWrLuuqelfryPt1
  bMcRN/VWuCoPxtGB0AKkY7PFCITaEBc+y+Gog71Urpz+QLodmOqRIs/        8yFpvh2tBsUj1jz
  aDTD1NEnE/xvYWl9R1vHZRmenTQ+4kQ31f5ZO+A8O1Feh0qubSfxcUR319EZO/        6k3JbizC
  Ny1Q59BYXJVyW6YEj3MAUrlQeZS+AVujPtUP1iWPvFXzDZxBiov6qDWv/        04t4Iqmdd9FMn
  Ubd88J+NAuUHsa4H67Nzhx/rvyeKWD7HvLpIMLCq+VOZnrvtHcqv950        +Cpwt3pTpYsrspR
  kxgELf8LbXMvTN3+jwN8/qSncKsyWGZ6MA        +Q5zKNXGdXzNeLvGj4QPmO5Hh8Gs3B0elFhx
  H88HoITPyTjPrblkMq76ldoosIDRUfT8GTGVbZq/ofZZSiOGs5R6QeR6eP        +OAePMVe+jhu
  oIDmwm6lcidcbceYCC1MyIA4jdD6oGVrwpZZMygXlZJGadRldH2Cz9Wwchq1sKF        BlYAeLJ
  c7FiDCs7U3AGRbCq7Wdchk+QKiTxepuJJcvUKhkY1wFuQd9UfIqvhSs        +BLU4sXrbd7yvxO
  -----END OPENSSH PRIVATE KEY-----

    • Public key: This file will be called something like my_key_name.pem.pub. The contents are 1 long line, starting with ssh-rsa. This is not sensitive data, hence the name "public". You can freely share this data without comprimising security. This file should be copied to the bastion and private server(s) and appended to /home/the-user-you-ssh-in-as/.ssh/authorized_keys

      • Example
      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6HXOrlWaXs2l7jFBBf4lBekVXROt3UgqADJfN5asu66p6V+vI+3VsxxE39Va4Kg/G0YHQAqRjs8UIhNoQFz7L4aiDvVSunP5Auh2Y6pEiz/zIWm+Ha0GxSPWPNoNMPU0ScT/G9haX1HW8dlGZ6dND7iRDfV/lk74Dw7UV6H me@my-laptop

      Notice the me@my-laptop portion, this value can be modified at-will and is used to clearly identify the key.

  • SSH Config: this file exists on your laptop, typically located ~/.ssh/config
    • Example
    Host bastion-server
  Hostname 123.456.789.000

Host private-server
  Hostname 192.168.0.1
  ProxyJump bastion-server

Configuration

In order for your laptop to access the private-server you need to perform the following steps.

  1. Generate SSH keys

  • ssh-keygen -t rsa -b 4096 -C "me@my-laptop" -f ~/.ssh/bastion-example.pem

    This will create a new SSH key, with the name set to me@my-laptop. The private key will be ~/.ssh/bastion-example.pem, the public key ~/.ssh/bastion-example.pem.pub

  1. Assuming you are using EC2, ensure that AWS has your public key, using that key when you provision the bastion server and the private server.

    You should use different keys for the bastion and private servers for these but in this example I am not.

  2. On your laptop, add the following to your ~/.ssh/config

    Host bastion-server
  Hostname 123.456.789.000 # AWS EC2 EIP or Public IP
  IdentityFile ~/.ssh/bastion-example.pem
  User ubuntu 

Host private-server
  Hostname 192.168.0.1 # AWS Private IP
  ProxyJump bastion-server # Bastion name defined in this file, or IP/FQDN
  IdentityFile ~/.ssh/bastion-example.pem 
  User ubuntu

    This defines your bastion and your private server, notice that the private server uses the bastion server's name for ProxyJump

  3. Load the SSH keys into memory on your laptop

    eval $(ssh-agent) # This only needs to be ran once per shell(tab in terminal).  You can add this to your ~/.bashrc or ~/.bash_profile if you want.  I do.

    ssh-add -k ~/.ssh/bastion-example.pem

    This should load the private key created in step 1(or used from existing keys) into memory. You can confirm this with the ssh-add -l command.

    root@18c2414b12b2:/# eval $(ssh-agent)
Agent pid 4076
root@18c2414b12b2:/# ssh-add -k ~/.ssh/bastion-example.pem
Identity added: /root/.ssh/bastion-example.pem (/root/.ssh/    bastion-example.pem)
root@18c2414b12b2:/# ssh-add -l
4096 SHA256:J4pJTKFZ4CJYg8ahbs6BTA6WrmSTyS5UukXKbvGm7ek /root/.    ssh/bastion-example.pem (RSA)
root@18c2414b12b2:/#

  4. Attempt to SSH to the bastion from your laptop

    ssh bastion-server

    Note that I am using the name we defined in ~/.ssh/config

    You should be logged into your bastion if everything is working correctly.

    # Logout of bastion
exit

  5. Attempt to login to your private server from your laptop

    ssh private-server

    Note firstly that I run this from my laptop, NOT FROM THE BASTION, secondly note that I use the name defined in ~/.ssh/config

    If everything worked, you are now logged into your private server

Conclusion

If the above steps are followed and functioning, you will now be able to access your private server(s) via your bastion. Your private servers do not need EIPs or Public IPs. Keep in mind that your SSH, SCP and Ansible tasks will go through your bastion, which may make communications slower.

me@my-laptop -> bastion-server -> private-server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment