Bastion Host: Implementing ACL with user group and permission
 

Hi Everyone,

I have an question about implementing ACL based on user groups on bastion host. Recently my boss has asked me to find out the solution about implementing ACL based on user groups.

Scenario

Lets say there are three user groups:

1. Web Developer
2. System Administrator
3. Database Admin

This is how it would be connected via internet using SSH:

Users ----->>--Bastion Host --->>----Server(s) [(Web)|(Database)|(ftp)]

How it should work?

For example;
UserA who belongs to Web Developer group should be able to connect only web server and its service only via SSH.

UserA who belongs to Database Admin should be able to connect only to database server only via SSH.

He wants "Bastion Host" to allow/deny based on group roles and permission.

Is there any method where i can achieve this?

Thanks in advance

There's not really an easy way if any are still playing around on Windows, which is a very big liability these days. On all other options, the easy way is to use the ProxyJump option in ssh_config. It's also available as a runtime argument -J

https://www.openssh.com/txt/release-7.3

See the manual page for details or various write ups on proxies and jump hosts / bastion hosts. If you use either ProxyJump (-J) or stdio forwarding (-W), you do not need to grant shell access on the jump host. Though you do need to allow login. That apparent contradiction can be solved by sending the SSH client to the background prior to the execution of the remote program (-f), maybe also at the same time as just plain prevention of using any programs at all (-N). If you are using keys, then this can be specified in the bastion / jump host account's authorized_keys file as well to force the issue automatically.

As for the allow or deny, the bastion can have a Match block in the sshd configuration selecting by Group.

An after thought, if you are talking about only port forwarding from the client machines to the internal machines behind the bastion / jump host, then you do not need the options above. In that case you are looking at just port forwarding via a single intermediary host. I haven't seen restrictions like you are talking about but you might be able to do something with the iptables-extensions --gid-owner in iptables because at the SSH server level forwarding is either all on or all the way off. Your designers are probably on GNU/Linux or OS X. Any playing around with Windows will, again, be a liability here.

Hi,

Thanks for the response. Yeah, I have configured my Bastion Host in CentOS 7. It will be helpful what to use to achieve the above stated scenario?

Regards

Tashi

CentOS 7 has OpenSSH 6.6p if I understand correctly. That should be adequate.

However, the real question is what is on the clients. If you want shells on the internal machines, then OpenSSH 7.3 or higher is best. If you are just going to do port forwarding, then it does not matter so much.

Which scenario are you following? Can you give a little more detail?

well my scenario is exactly the same as this posted by one of the user, but answer seems to be not clear so i had to re-post.



I want to create a bastion host between a corporate network and a network management network that would look like the following:
User A uses PuTTY to connect to Bastion Host on TCP/2001 (ssh listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host X).
All commands that User A issues is recorded on the bastion host (psacct)
User B uses PuTTY to connect to Bastion Host on TCP/2002 (same ssh process as above is also listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host Y).
All commands that User B issues is recorded on the bastion host (psacct)

It would be real nice to have a simple configuration file that just says:
Bastion Host port 2001 = remote host X port 23
Bastion Host port 2002 = remote host Y port 23
User A authorized Host X & Host Y
User B authorized Host Y only.

Anyone know of anything that does this? If so, or have any ideas - would greatly appreciate.

Your system can do that, there is no monolith.

Like I said, Windows is a big liability here and not just because of the security shortcomings. You really need to have them upgrade to Linux Mint or CentOS or even OS X, really anything modern will do. However we'll ignore that for now, minus Windows, what you describe is easy ...

Established best practices for connecting on SSH these days requires use of keys. The public key on the bastion host can contain a forced command. Set that command to telnet hostx 23 for user A. For user B, set theirs to telnet hosty 23. See the manual page for sshd in the section "AUTHORIZED_KEYS FILE FORMAT" for the details.

Steps:

1) make accounts for users A and B on the bastion

2) set up key based authentication for said users

2a) set up read-only keys if that is needed

3) modify keys in authorized_keys to force commands for said users

See the references in the earlier posts.

psacct should pick that much up, but probably won't pick up the contents of the Telnet session. If you are talking about logging the contents of the Telnet session itself, then you can use script, called from each user's key.

It's been a while since I've looked at telnet so I can't recall if it can escape to the shell. If so then you'll want to use a restricted shell like rbash. That would be step 4.

Is there any web links where i can get the reference to configure this??

Regards

Yes. I've included all the links, except for the manual pages. You'll have to read the manual pages for sshd_config, sshd, and the above wikibook chapter sections.

SSH Keys are the simple way to do this and if they do enough for you then that is what is recommended, however it isn't enough then you can also use outbound rules in iptables to do this, not familiar if firewalld supports it tho and firewalld is default for CentOS 7.

I believe in iptables you can do this: iptables -A OUTPUT -p tcp --dport 22 -d <destination address> -m owner --uid-owner <user> -j ACCEPT

you'd need to carefully configure the whole OUTPUT chain if you went this far tho, but it is an option. Again there maybe a firewalld method to do it but I am not overly familiar with firewalld. Consider this the far more paranoid way of doing it, would still recommend using SSH Keys if you did set this up anyways.

Hi Everyone,

This post is continuation to above stated post with clear picture on WHAT I WANT TO ACHIEVE??.

Connection Overview (All are running in Oracle Virtual Box)
-----------------------------------------------------------
1. BastionHost
Operating System: CentOS7
enp0s8: 10.10.10.11/24
enp0s9: 20.20.20.11/24
User: bastionuser

2. Webserver
Operating System: CentOS7
enp0s3: 10.10.10.12/24
User: webuser

3. Fileserver
Operating System: CentOS7
enp0s3: 10.10.10.13/24
User: user1

4. TestClient (Considered as Internet User)
Operating System: CentOS7
enp0s3: 20.20.20.15/24
User: client1

Logical Diagram
----------------

TestClient(20.20.20.15) ===>> (20.20.20.11)BastionHost(10.10.10.11) ===> Virtual Switch LAN ===> Webserver(10.10.10.12) / Fileserver(10.10.10.13)

Manual connection (ssh)
------------------------

From "TestClient" (Internet), to connect host "Webserver" or "Fileserver" on the LAN, first ssh to "BastionHost" and from BastionHost again ssh to "Webserver"/"Fileserver".


How it should work?

For example;

"Webuser" who belongs to Web Developer group should be able to connect only web server and its service only via SSH.

User1 who belongs to Database Admin should be able to connect only to file server only via SSH.

He wants "Bastion Host" to allow/deny based on group roles and permission.

Is there any method where i can achieve this?

OR
===

Like:

Doing ssh to BastionHost using ssh webuser@bastion will connect to "Webserver" and ssh to BastionHost using ssh user1@bastion will connect to "Fileserver"...


Thanks

Tashi

Yes, but from what I recall CentOS 7 has an old, almost outdated version of OpenSSH (6.6.1p). As such it lacks the ProxyJump (-J) option so you will have to do it the old way with ProxyCommand and stdio forwarding. See Old Methods of Passing Through Jump Hosts in the Wikibook on OpenSSH for a walkthrough.

As far as using the bastion host to allow or deny users, see the manual page for sshd_config:

In particular see Match and AllowGroups.

You may have to deal with the groups on the destination machines themselves and not the bastion.

Hi,

I have got following "ProxyCommand" configured in my From "TestClient" machine i tried doing "ssh" as follows but seems not working:
I tried with IP address:
To testing purpose i tried using following which seems working:
Any mistakes with my ProxyCommand?

I used https://en.wikibooks.org/wiki/OpenSS...ugh_Jump_Hosts as reference.

Thanks

Yes, it looks like a colon : is missing from your ProxyCommand between %h and %p.

Testing the middle part also, can you connect to the bastion with ssh bastion alone?

Here is the corrected one:

Still the issue is same:

[root@localhost ~]# ssh fileserver
ssh: Could not resolve hostname fileserver: Name or service not known
[root@localhost ~]#

[root@localhost ~]# ssh 10.10.10.13
ssh: connect to host 10.10.10.13 port 22: No route to host
[root@localhost ~]#

I can connect bastion using IP Address, can't connect using "ssh bastion" it says "ssh: Could not resolve hostname bastion: Name or service not known"

What is the purpose of following line:

IdentityFile /home/bastionuser/.ssh/machine1_e25519