Bastion Host: Implementing ACL with user group and permission
Hi Everyone,
I have an question about implementing ACL based on user groups on bastion host. Recently my boss has asked me to find out the solution about implementing ACL based on user groups. Scenario Lets say there are three user groups: 1. Web Developer 2. System Administrator 3. Database Admin This is how it would be connected via internet using SSH: Users ----->>--Bastion Host --->>----Server(s) [(Web)|(Database)|(ftp)] How it should work? For example; UserA who belongs to Web Developer group should be able to connect only web server and its service only via SSH. UserA who belongs to Database Admin should be able to connect only to database server only via SSH. He wants "Bastion Host" to allow/deny based on group roles and permission. Is there any method where i can achieve this? Thanks in advance |
There's not really an easy way if any are still playing around on Windows, which is a very big liability these days. On all other options, the easy way is to use the ProxyJump option in ssh_config. It's also available as a runtime argument -J
https://www.openssh.com/txt/release-7.3 Code:
* ssh(1): Add a ProxyJump option and corresponding -J command-line As for the allow or deny, the bastion can have a Match block in the sshd configuration selecting by Group. |
An after thought, if you are talking about only port forwarding from the client machines to the internal machines behind the bastion / jump host, then you do not need the options above. In that case you are looking at just port forwarding via a single intermediary host. I haven't seen restrictions like you are talking about but you might be able to do something with the iptables-extensions --gid-owner in iptables because at the SSH server level forwarding is either all on or all the way off. Your designers are probably on GNU/Linux or OS X. Any playing around with Windows will, again, be a liability here.
|
Quote:
Thanks for the response. Yeah, I have configured my Bastion Host in CentOS 7. It will be helpful what to use to achieve the above stated scenario? Regards Tashi |
Quote:
However, the real question is what is on the clients. If you want shells on the internal machines, then OpenSSH 7.3 or higher is best. If you are just going to do port forwarding, then it does not matter so much. Which scenario are you following? Can you give a little more detail? |
Quote:
I want to create a bastion host between a corporate network and a network management network that would look like the following: User A uses PuTTY to connect to Bastion Host on TCP/2001 (ssh listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host X). All commands that User A issues is recorded on the bastion host (psacct) User B uses PuTTY to connect to Bastion Host on TCP/2002 (same ssh process as above is also listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host Y). All commands that User B issues is recorded on the bastion host (psacct) It would be real nice to have a simple configuration file that just says: Bastion Host port 2001 = remote host X port 23 Bastion Host port 2002 = remote host Y port 23 User A authorized Host X & Host Y User B authorized Host Y only. Anyone know of anything that does this? If so, or have any ideas - would greatly appreciate. |
Your system can do that, there is no monolith.
Quote:
Established best practices for connecting on SSH these days requires use of keys. The public key on the bastion host can contain a forced command. Set that command to telnet hostx 23 for user A. For user B, set theirs to telnet hosty 23. See the manual page for sshd in the section "AUTHORIZED_KEYS FILE FORMAT" for the details. Steps: 1) make accounts for users A and B on the bastion 2) set up key based authentication for said users 2a) set up read-only keys if that is needed3) modify keys in authorized_keys to force commands for said users See the references in the earlier posts. psacct should pick that much up, but probably won't pick up the contents of the Telnet session. If you are talking about logging the contents of the Telnet session itself, then you can use script, called from each user's key. Code:
command="script --quiet --append --flush --command 'telnet hostx 23' /var/log/telnet.usera.log" ... |
Quote:
Regards |
Quote:
Code:
man sshd_config |
SSH Keys are the simple way to do this and if they do enough for you then that is what is recommended, however it isn't enough then you can also use outbound rules in iptables to do this, not familiar if firewalld supports it tho and firewalld is default for CentOS 7.
I believe in iptables you can do this: iptables -A OUTPUT -p tcp --dport 22 -d <destination address> -m owner --uid-owner <user> -j ACCEPT you'd need to carefully configure the whole OUTPUT chain if you went this far tho, but it is an option. Again there maybe a firewalld method to do it but I am not overly familiar with firewalld. Consider this the far more paranoid way of doing it, would still recommend using SSH Keys if you did set this up anyways. |
Hi Everyone,
This post is continuation to above stated post with clear picture on WHAT I WANT TO ACHIEVE??. Connection Overview (All are running in Oracle Virtual Box) ----------------------------------------------------------- 1. BastionHost Operating System: CentOS7 enp0s8: 10.10.10.11/24 enp0s9: 20.20.20.11/24 User: bastionuser 2. Webserver Operating System: CentOS7 enp0s3: 10.10.10.12/24 User: webuser 3. Fileserver Operating System: CentOS7 enp0s3: 10.10.10.13/24 User: user1 4. TestClient (Considered as Internet User) Operating System: CentOS7 enp0s3: 20.20.20.15/24 User: client1 Logical Diagram ---------------- TestClient(20.20.20.15) ===>> (20.20.20.11)BastionHost(10.10.10.11) ===> Virtual Switch LAN ===> Webserver(10.10.10.12) / Fileserver(10.10.10.13) Manual connection (ssh) ------------------------ From "TestClient" (Internet), to connect host "Webserver" or "Fileserver" on the LAN, first ssh to "BastionHost" and from BastionHost again ssh to "Webserver"/"Fileserver". How it should work? For example; "Webuser" who belongs to Web Developer group should be able to connect only web server and its service only via SSH. User1 who belongs to Database Admin should be able to connect only to file server only via SSH. He wants "Bastion Host" to allow/deny based on group roles and permission. Is there any method where i can achieve this? OR === Like: Doing ssh to BastionHost using ssh webuser@bastion will connect to "Webserver" and ssh to BastionHost using ssh user1@bastion will connect to "Fileserver"... Thanks Tashi |
Quote:
As far as using the bastion host to allow or deny users, see the manual page for sshd_config: Code:
man sshd_config You may have to deal with the groups on the destination machines themselves and not the bastion. |
Quote:
I have got following "ProxyCommand" configured in my Code:
~/.ssh/config Code:
#Jump Host. Directly reachable Code:
[root@localhost ~]# ssh fileserver Code:
[root@localhost ~]# ssh 10.10.10.13 Code:
[root@localhost ~]# ssh -A -t -l root 20.20.20.11 ssh -A -t -l root 10.10.10.13 I used https://en.wikibooks.org/wiki/OpenSS...ugh_Jump_Hosts as reference. Thanks |
Yes, it looks like a colon : is missing from your ProxyCommand between %h and %p.
Testing the middle part also, can you connect to the bastion with ssh bastion alone? Code:
Host bastion |
Quote:
Code:
#Jump Host. Directly reachable [root@localhost ~]# ssh fileserver ssh: Could not resolve hostname fileserver: Name or service not known [root@localhost ~]# [root@localhost ~]# ssh 10.10.10.13 ssh: connect to host 10.10.10.13 port 22: No route to host [root@localhost ~]# I can connect bastion using IP Address, can't connect using "ssh bastion" it says "ssh: Could not resolve hostname bastion: Name or service not known" What is the purpose of following line: IdentityFile /home/bastionuser/.ssh/machine1_e25519 |
All times are GMT -5. The time now is 08:42 AM. |