3

I'm testing a security setup to lock down access to some external facing servers by setting up a gateway server. This means everyone will now have to ssh to the gateway server before sshing to an external server.

So far the setup has users logging onto the gateway server as a communal (admin) user using their own ssh-key and passwords disabled. Then sshing to an external server as this communal user.

What I'm looking for is a way to automate the initial ssh hop so a user can type ssh <external server> and the first ssh is setup for them in some fashion (ssh tunnel/bash alias?).

What would be the best method, if it's even possible, to achieve this?

Improve this question

2 Answers 2

Reset to default
2

Putty.

In order to do just a straight ssh, you can run this with vbs:

Dim ShellRun

Set ShellRun = WScript.CreateObject("WScript.Shell")

ShellRun.Run """C:\Program Files\PuTTY\putty.exe"" -ssh username@server -i ssh.key", 1

If the username will be the same as their windows login, you can use %USERNAME%

If you want to setup something with tunneling (like if you need to tunnel through the gateway), it would look like this:

Dim ShellRun

Set ShellRun = WScript.CreateObject("WScript.Shell")

ShellRun.Run """C:\Program Files\PuTTY\putty.exe"" -ssh username@server -i ssh.key -L 22:xxx.xxx.xxx.xxx:22", 1

Without know how you have everything configured, I can't give an exact answer. But you can set it up that you SSH with tunneling into the gateway and then you can run SSH on the tunnel through to where you need to be after. You can actually put that all in one script if you want.

I've had to use instances like this where our main SSH server is on an access list for a router, but my computer is not, so I have to tunnel through the SSH server first and then SSH to the router. The router sees it as an SSH from the first SSH server and not my computer.

Improve this answer
7
  • @MaQleod We're running *nix machines here but the config doesn't seem very different. How would I force the ssh connection to go over the tunnel, rather than it's normal route? Commented Mar 17, 2011 at 16:28
  • When you create the tunnel, it makes 127.0.0.1 equal to the address you used when you set up the tunnel. So the first SSH will go to the gateway and will create the tunnel, you'd use the tunnel rule -L 22:xxx.xxx.xxx.xxx:22. The IP address you use there will be the IP of the destination SSH server. You will then open a new ssh session to 127.0.0.1:22 and it will use the tunnel you created. Commented Mar 17, 2011 at 16:50
  • If you are going to do this in bash, or really any other scripting language, you can make the destination IP a variable that is fed by an argument given on the command line for this script. That way you just need to type a command with an IP and you will get your tunnel and your connection all at once (just create the tunnel in the script with the first ssh instance and the second instance goes to the loopback IP) and you can then use the same script on any computer to go to any server. Commented Mar 17, 2011 at 17:22
  • Just to clarify - I'd open the tunnel to the gateway like so: ssh -N -L 22:<gateway>:22 then ssh to the destination with ssh 127.0.0.1:22 ? So far using this method the tunnel appears to setup fine but the second ssh is timing out (I'm using verbose mode to check). Commented Mar 18, 2011 at 10:47
  • No, you would open it up like ssh user@gateway -N -R 22:destination:22 (sorry, I use -L as that is for putty, on unix the port forward is -R) and then on the for the destination ssh you would use the local host address (ssh [email protected]) Commented Mar 18, 2011 at 14:17
0

It would be difficult to somehow forward all requests to the gateway AND have the gateway server sense which server was intended for access without some fairly intricate infrastructure changes.

Perhaps a script placed in the gateway server's /etc/bashrc would be appropriate for this? For example, the person would ssh , and then once logged on the script would present them with a small menu akin to "Press 1 for server X. Press 2 for server Y," et cetera.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.