Gateway host configuration - SSH

This is a discussion on Gateway host configuration - SSH ; I would like to give a limited set of users ssh access to specific internal hosts, from arbitrary external systems, via a gateway host. A setup I came up with is: * On GW host, have one (or more) gw ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Gateway host configuration

  1. Gateway host configuration

    I would like to give a limited set of users ssh access to specific
    internal hosts, from arbitrary external systems, via a gateway host.
    A setup I came up with is:

    * On GW host, have one (or more) gw accounts with a password.
    * For every ssh user, in GW account on GW host:
    ** create a passphrase-protected key
    ** On each host they need to connect to:
    *** copy key to their authorized_keys file

    Each user should only be able to ssh into the GW host , then ssh to
    one of their allowed hosts by specifying their keyfile.

    Questions:
    - Can I forbid password authentication from the GW host to the
    internal hosts, but still allow it between two internal hosts? It
    doesn't seem that PasswordAuthentication can appear in a Match
    section.
    - Can I forbid port forwarding to/from the GW, or at least require
    use of a key rather than the password?
    - Is this whole approach pointless, and should I be doing something
    completely different? The need is for a reasonably simple procedure
    with as little as possible required on the remote end; it's acceptable
    to need setup and preparation on the GW and/or internal systems.


    Thanks for any suggestions.


  2. Re: Gateway host configuration

    I am assuming OpenSSH in the following.

    On 2007-09-06, craner@haskins.yale.edu wrote:
    > I would like to give a limited set of users ssh access to specific
    > internal hosts, from arbitrary external systems, via a gateway host.
    > A setup I came up with is:
    >
    > * On GW host, have one (or more) gw accounts with a password.
    > * For every ssh user, in GW account on GW host:
    > ** create a passphrase-protected key
    > ** On each host they need to connect to:
    > *** copy key to their authorized_keys file
    >
    > Each user should only be able to ssh into the GW host , then ssh to
    > one of their allowed hosts by specifying their keyfile.
    >
    > Questions:
    > - Can I forbid password authentication from the GW host to the
    > internal hosts, but still allow it between two internal hosts? It
    > doesn't seem that PasswordAuthentication can appear in a Match
    > section.


    It can but it was only added in version 4.6. Which version are you
    using?

    > - Can I forbid port forwarding to/from the GW, or at least require
    > use of a key rather than the password?


    Set "AllowTcpForwarding no" in the gateway's sshd_config.

    > - Is this whole approach pointless, and should I be doing something
    > completely different? The need is for a reasonably simple procedure
    > with as little as possible required on the remote end; it's acceptable
    > to need setup and preparation on the GW and/or internal systems.


    If your gateway host supports it you could also use user-based packet
    filter rules to restrict where you users can connect to, for example
    "user " rules in PF or --uid-owner rules in iptables.

    This would control all outgoing (and incoming) connections not just
    those made by ssh.

    > Thanks for any suggestions.


    You're welcome.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread