SSH through jump box more secure? - SSH

This is a discussion on SSH through jump box more secure? - SSH ; ssh through jump box more secure? A couple of fellow computer geeks and I were discussing some proposed changes to how people/processes access servers within the DMZ. The proposed solution involved routing all SSH access through a set of jump ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: SSH through jump box more secure?

  1. SSH through jump box more secure?

    ssh through jump box more secure?

    A couple of fellow computer geeks and I were discussing some proposed
    changes to how people/processes access servers within the DMZ. The
    proposed solution involved routing all SSH access through a set of
    jump box servers. From there you could then ssh wherever you need to
    go. These servers also allow you to tunnel your traffic through to a
    server on the inside. They also allow you to setup ssh key pairs so
    that you do not have to enter a username/password during each hop. My
    initial concern is that this new policy is going to break many of the
    existing processes which are working with direct ssh access to all the
    target hosts. They assured me that any commands I run today will work
    when going through the new jump boxes.


    My overall response to this change wasn't very positive. To me it
    seems like its a lot of changes to dozens of scripts with no real
    benefit or added security. There also seems to be some flaws in how
    the implementation is being proposed. The essentially have left it up
    to each user to work out for themselves how to manage setting up the
    ssh tunnels. From what I have seen so far most people are hard coding
    these tunnels to specific ports. For a small set of tests/users this
    probably works well. However what happens when you end up with
    different groups of users who clobber each others attempts to setup
    the ssh tunnels? Granted you could solve this problem with code, but
    it seems like a hack to me...

    Back to the basic question of this post, what is the added security
    here? So now you have one box (or a set) to go through...so what? If
    I can do all the same actions I once could what added security is
    being employed? Since most of the processes we are talking about here
    use services accounts to operate none of them are tied to an
    individual. I agree with the approach for individual users, but for
    automated processes it just doesn't seem to make sense. Have any of
    you run into this problem before?


    -Inet

  2. Re: SSH through jump box more secure?

    On Mon, 28 Jul 2008 19:12:32 -0700, inetquestion wrote:

    > However what happens when you end up with different groups of users who
    > clobber each others attempts to setup the ssh tunnels? Granted you
    > could solve this problem with code, but it seems like a hack to me...


    What types of tunnels are being built? I'm envisioning all the listen()
    ing being on the "local" side (ie. the "outside box"). Aren't these
    personal machines, and doesn't that make collisions unlikely?

    Or are people using -R tunnels?

    What about skipping tunnels and going to a real VPN approach (via the -w
    option)?

    - Andrew

+ Reply to Thread