From a7befa86e9f786180cedd70a4870fc5a38c2bb9d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 18 Jan 2024 13:12:30 -0800 Subject: [PATCH] sshaccess: some improvements ProxyJump is better than ProxyCommand because the ssh connection is completely encrypted to the bastion host. Also mention that you can use ssh keys with FIDO tokens if you are only connecting to Fedora and RHEL9+ hosts. Signed-off-by: Kevin Fenzi --- modules/sysadmin_guide/pages/sshaccess.adoc | 23 ++++++++------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/modules/sysadmin_guide/pages/sshaccess.adoc b/modules/sysadmin_guide/pages/sshaccess.adoc index 9a5a7a1..c151808 100644 --- a/modules/sysadmin_guide/pages/sshaccess.adoc +++ b/modules/sysadmin_guide/pages/sshaccess.adoc @@ -42,6 +42,8 @@ process once you do have valid and appropriate shell access to a machine. 1. Generate a ssh keypair on your local machine if you don't already have one. run: 'ssh-keygen -t ed25519' Make sure you enter a strong passphrase you can remember or have stored in a password manager. +If you are only going to connect to RHEL9+ and Fedora machines, you can also use +a ecdsa_sk key with a FIDO2 hardware device. 2. Setup your local client ssh config + @@ -67,7 +69,7 @@ Host bastion.fedoraproject.org ForwardAgent no VerifyHostKeyDNS yes Host *.iad2.fedoraproject.org *.qa.fedoraproject.org 10.3.160.* 10.3.161.* 10.3.163.* 10.3.165.* 10.3.167.* 10.3.171.* *.vpn.fedoraproject.org - ProxyCommand ssh -W %h:%p bastion.fedoraproject.org + ProxyJump bastion.fedoraproject.org Host batcave01 HostName %h.iad2.fedoraproject.org .... @@ -163,12 +165,13 @@ line instead: ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p .... -== How does ssh ProxyCommand work? +== How does ssh ProxyJump work? -ProxyCommand configures OpenSSH to use your fas username to access -bastion.fedoraproject.org directly, and then in turn to use -bastion.fedoraproject.org as a proxy to all the other listed -hosts. +The ProxyJump command creates a normal ssh connection using your +fas username to connect to bastion.fedoraproject.org. Then, it forwards +a port over this connection from your client directly to the remote +host. This second connection is a fully encrypted ssh connection, +meaning the bastion host cannot see anything going over it. A connection is established to the bastion host: @@ -178,14 +181,6 @@ A connection is established to the bastion host: +-------+ +--------------+ .... -Your client runs the proxy command on the bastion server to connect to the target: - -.... -+--------------+ +--------+ -| bastion host | -------> | server | -+--------------+ +--------+ -.... - Your client then connects through the Bastion and reaches the target server: ....