sshaccess: some improvements
ProxyJump is better than ProxyCommand because the ssh connection is completely encrypted to the bastion host. Also mention that you can use ssh keys with FIDO tokens if you are only connecting to Fedora and RHEL9+ hosts. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
parent
a5a2fbe128
commit
a7befa86e9
1 changed files with 9 additions and 14 deletions
|
|
@ -42,6 +42,8 @@ process once you do have valid and appropriate shell access to a machine.
|
||||||
1. Generate a ssh keypair on your local machine if you don't already have one.
|
1. Generate a ssh keypair on your local machine if you don't already have one.
|
||||||
run: 'ssh-keygen -t ed25519'
|
run: 'ssh-keygen -t ed25519'
|
||||||
Make sure you enter a strong passphrase you can remember or have stored in a password manager.
|
Make sure you enter a strong passphrase you can remember or have stored in a password manager.
|
||||||
|
If you are only going to connect to RHEL9+ and Fedora machines, you can also use
|
||||||
|
a ecdsa_sk key with a FIDO2 hardware device.
|
||||||
|
|
||||||
2. Setup your local client ssh config
|
2. Setup your local client ssh config
|
||||||
+
|
+
|
||||||
|
|
@ -67,7 +69,7 @@ Host bastion.fedoraproject.org
|
||||||
ForwardAgent no
|
ForwardAgent no
|
||||||
VerifyHostKeyDNS yes
|
VerifyHostKeyDNS yes
|
||||||
Host *.iad2.fedoraproject.org *.qa.fedoraproject.org 10.3.160.* 10.3.161.* 10.3.163.* 10.3.165.* 10.3.167.* 10.3.171.* *.vpn.fedoraproject.org
|
Host *.iad2.fedoraproject.org *.qa.fedoraproject.org 10.3.160.* 10.3.161.* 10.3.163.* 10.3.165.* 10.3.167.* 10.3.171.* *.vpn.fedoraproject.org
|
||||||
ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
|
ProxyJump bastion.fedoraproject.org
|
||||||
Host batcave01
|
Host batcave01
|
||||||
HostName %h.iad2.fedoraproject.org
|
HostName %h.iad2.fedoraproject.org
|
||||||
....
|
....
|
||||||
|
|
@ -163,12 +165,13 @@ line instead:
|
||||||
ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
|
ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
|
||||||
....
|
....
|
||||||
|
|
||||||
== How does ssh ProxyCommand work?
|
== How does ssh ProxyJump work?
|
||||||
|
|
||||||
ProxyCommand configures OpenSSH to use your fas username to access
|
The ProxyJump command creates a normal ssh connection using your
|
||||||
bastion.fedoraproject.org directly, and then in turn to use
|
fas username to connect to bastion.fedoraproject.org. Then, it forwards
|
||||||
bastion.fedoraproject.org as a proxy to all the other listed
|
a port over this connection from your client directly to the remote
|
||||||
hosts.
|
host. This second connection is a fully encrypted ssh connection,
|
||||||
|
meaning the bastion host cannot see anything going over it.
|
||||||
|
|
||||||
A connection is established to the bastion host:
|
A connection is established to the bastion host:
|
||||||
|
|
||||||
|
|
@ -178,14 +181,6 @@ A connection is established to the bastion host:
|
||||||
+-------+ +--------------+
|
+-------+ +--------------+
|
||||||
....
|
....
|
||||||
|
|
||||||
Your client runs the proxy command on the bastion server to connect to the target:
|
|
||||||
|
|
||||||
....
|
|
||||||
+--------------+ +--------+
|
|
||||||
| bastion host | -------> | server |
|
|
||||||
+--------------+ +--------+
|
|
||||||
....
|
|
||||||
|
|
||||||
Your client then connects through the Bastion and reaches the target server:
|
Your client then connects through the Bastion and reaches the target server:
|
||||||
|
|
||||||
....
|
....
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue