14
Jan

Using OpenSSH ProxyJump


Hello and welcome to todays video presentation
on using ProxyJump to securely hop through your network. In this video we will cover the usage of ProxyJump,
ssh keys, and connecting securely though a bastion or jump host server. So let’s get started….. The bastion or jump host server is expected
to be a hardened server which is located between different security zones. These zones might be part of your company
DMZ, your home network, or a VPN. The jump host servers limit their threat surface
by several means. These include restricting the number of open
ports, using ssh, deploying a firewall, and regular or automated patching . ProxyJump is an option introduced in OpenSSH
version 7.3. You can define it in your ssh config file
or on the command line using dash J. If you need to hop across multiple intermediate
jump hosts, you separate them using a comma. For this demo we will be using a simple 3
node network. We have the client node with an address of
192.168.1.100. The jump host node with dual NICs on addresses
192.168.1.1 and 192.168.2.1. And an internal server node on address 192.168.2.200. The jump host sits between the two networks
and acts as the default route for each network. Port forwarding remains disabled in the jump
host so network traffic does not flow between the 192.168.1.x and 192.168.2.y networks. Now that we have covered the network topology,
open a terminal and connect to the client node. The demo environment we are using today utilizes
Vagrant and VirtualBox which we have already deployed. So to connect to the client node, type vagrant
ssh client from the demo project directory. Vagrant ssh takes an option of machine name
or id in multi-machine deployments to connect to specific machines. Now that we are connected to the client as
the vagrant user, use su to switch over to the opc user for the rest of this demo. Before we start, lets demonstrate that we
cannot directly connect from one network to the other. Perform a ping to 192 dot 168 dot 2 dot 200. You will see that no response is returned. Type ctrl-c to cancel the ping and return
to your prompt. Since we want to use passwordless login, create
a rsa based ssh key pair using the command ssh dash keygen space dash t space rsa. Accept the default key name and location. Hit enter. For the passphrase we will use a simple password
of oracle. You should not use something as simple in
your real-world environments. Hit enter. Enter the passphrase of oracle again to confirm. Hit enter. Our key has been created. Push key to bastion. Next we want to push the key to our bastion
jump host. Type ssh dash copy dash id space opc at symbol
192 dot 168 dot 1 dot 1. Hit enter. Type yes to accept the bastion jump host key. Type the password for your opc user. Your ssh public key will be securely copied
over to the bastion jump host. As a side note for this demo, the sshd server
on the bastion and server nodes has PasswordAuthentication set to yes otherwise ssh-copy-id fails to
connect. Verify you can connect to the bastion from
the client by typing ssh opc at symbol 192 dot 168 dot 1 dot 1. You will be prompted for your ssh key passphrase. Enter oracle as before and hit enter. You will see you connected based on the changed
hostname shown in the prompt. Type exit to return to the client. Clear the screen. Start and add key to agent: To avoid having to type the password each
time, we can add the key and password to our clients ssh-agent. First start the agent by typing eval `ssh-agent
-s` Type ssh-add and enter the passphrase of oracle
for your key. The Identity will be added to your ssh-agent. Try connecting to the bastion as before. This time you will not be prompted for your
passphrase as it will be supplied by the ssh-agent. On the client, create a ssh config file in
.ssh in your home directory to contain your host specific ssh connection options. To do this, type vi .ssh slash config to open
the file for editing. We will create two entries with each section
belonging to a different host and each line in that section being a different ssh option. Once the changes are made, exit and save the
file by typing escape colon w q !. Change permissions on the config file using
chmod 600 ~/.ssh/config. Hit Enter. Now that we defined our internal server connection
in the config file to use the bastion jump host with the ProxyJump option, we can now
add our public key to the server. Type ssh dash copy dash id space opc at 192
dot 168 dot 2 dot 200. Just as before you will be prompted to accept
the host key and need to provide the password for the opc account. Remember that ssh-copy-id uses user password
authentication when copying the keys over to the target machine. Once the key is copied, you can test the connection
. Type ssh server. Ssh will use the config file to pass in the
User, Port, ProxyJump and other options. You are now connected directly from the client
node to the server node via a single bastion hop. In this video we created our ssh key, setup
the ssh agent, and then traversed the network through a jump host to our server. Using ProxyJump allows us to make direct connections
to our servers while ssh handles the secure hops. Thank you for watching and I hope you enjoyed
this video. To find additional resources on Oracle Linux please check out: Our Oracle Linux Curriculum at http://education.oracle.com/linux Oracle Cloud Infrastructure at http://cloud.oracle.com And attentional training on Oracle Linux on
Oracle Cloud Infrastructure at https://bit.ly/2pfqzUM

Tags: , , , , , , , , ,

There are no comments yet

Why not be the first

Leave a Reply

Your email address will not be published. Required fields are marked *