Bastion Host: Implementing ACL with user group and permission
 

Hi Everyone,

I have an question about implementing ACL based on user groups on bastion host. Recently my boss has asked me to find out the solution about implementing ACL based on user groups.

Scenario

Lets say there are three user groups:

1. Web Developer
2. System Administrator
3. Database Admin

This is how it would be connected via internet using SSH:

Users ----->>--Bastion Host --->>----Server(s) [(Web)|(Database)|(ftp)]

How it should work?

For example;
UserA who belongs to Web Developer group should be able to connect only web server and its service only via SSH.

UserA who belongs to Database Admin should be able to connect only to database server only via SSH.

He wants "Bastion Host" to allow/deny based on group roles and permission.

Is there any method where i can achieve this?

Thanks in advance

There's not really an easy way if any are still playing around on Windows, which is a very big liability these days. On all other options, the easy way is to use the ProxyJump option in ssh_config. It's also available as a runtime argument -J

https://www.openssh.com/txt/release-7.3

See the manual page for details or various write ups on proxies and jump hosts / bastion hosts. If you use either ProxyJump (-J) or stdio forwarding (-W), you do not need to grant shell access on the jump host. Though you do need to allow login. That apparent contradiction can be solved by sending the SSH client to the background prior to the execution of the remote program (-f), maybe also at the same time as just plain prevention of using any programs at all (-N). If you are using keys, then this can be specified in the bastion / jump host account's authorized_keys file as well to force the issue automatically.

As for the allow or deny, the bastion can have a Match block in the sshd configuration selecting by Group.

An after thought, if you are talking about only port forwarding from the client machines to the internal machines behind the bastion / jump host, then you do not need the options above. In that case you are looking at just port forwarding via a single intermediary host. I haven't seen restrictions like you are talking about but you might be able to do something with the iptables-extensions --gid-owner in iptables because at the SSH server level forwarding is either all on or all the way off. Your designers are probably on GNU/Linux or OS X. Any playing around with Windows will, again, be a liability here.

Hi,

Thanks for the response. Yeah, I have configured my Bastion Host in CentOS 7. It will be helpful what to use to achieve the above stated scenario?

Regards

Tashi

CentOS 7 has OpenSSH 6.6p if I understand correctly. That should be adequate.

However, the real question is what is on the clients. If you want shells on the internal machines, then OpenSSH 7.3 or higher is best. If you are just going to do port forwarding, then it does not matter so much.

Which scenario are you following? Can you give a little more detail?

well my scenario is exactly the same as this posted by one of the user, but answer seems to be not clear so i had to re-post.



I want to create a bastion host between a corporate network and a network management network that would look like the following:
User A uses PuTTY to connect to Bastion Host on TCP/2001 (ssh listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host X).
All commands that User A issues is recorded on the bastion host (psacct)
User B uses PuTTY to connect to Bastion Host on TCP/2002 (same ssh process as above is also listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host Y).
All commands that User B issues is recorded on the bastion host (psacct)

It would be real nice to have a simple configuration file that just says:
Bastion Host port 2001 = remote host X port 23
Bastion Host port 2002 = remote host Y port 23
User A authorized Host X & Host Y
User B authorized Host Y only.

Anyone know of anything that does this? If so, or have any ideas - would greatly appreciate.

Your system can do that, there is no monolith.

Like I said, Windows is a big liability here and not just because of the security shortcomings. You really need to have them upgrade to Linux Mint or CentOS or even OS X, really anything modern will do. However we'll ignore that for now, minus Windows, what you describe is easy ...

Established best practices for connecting on SSH these days requires use of keys. The public key on the bastion host can contain a forced command. Set that command to telnet hostx 23 for user A. For user B, set theirs to telnet hosty 23. See the manual page for sshd in the section "AUTHORIZED_KEYS FILE FORMAT" for the details.

Steps:

1) make accounts for users A and B on the bastion

2) set up key based authentication for said users

2a) set up read-only keys if that is needed

3) modify keys in authorized_keys to force commands for said users

See the references in the earlier posts.

psacct should pick that much up, but probably won't pick up the contents of the Telnet session. If you are talking about logging the contents of the Telnet session itself, then you can use script, called from each user's key.

It's been a while since I've looked at telnet so I can't recall if it can escape to the shell. If so then you'll want to use a restricted shell like rbash. That would be step 4.

Is there any web links where i can get the reference to configure this??

Regards

Yes. I've included all the links, except for the manual pages. You'll have to read the manual pages for sshd_config, sshd, and the above wikibook chapter sections.

SSH Keys are the simple way to do this and if they do enough for you then that is what is recommended, however it isn't enough then you can also use outbound rules in iptables to do this, not familiar if firewalld supports it tho and firewalld is default for CentOS 7.

I believe in iptables you can do this: iptables -A OUTPUT -p tcp --dport 22 -d <destination address> -m owner --uid-owner <user> -j ACCEPT

you'd need to carefully configure the whole OUTPUT chain if you went this far tho, but it is an option. Again there maybe a firewalld method to do it but I am not overly familiar with firewalld. Consider this the far more paranoid way of doing it, would still recommend using SSH Keys if you did set this up anyways.

Hi Everyone,

This post is continuation to above stated post with clear picture on WHAT I WANT TO ACHIEVE??.

Connection Overview (All are running in Oracle Virtual Box)
-----------------------------------------------------------
1. BastionHost
Operating System: CentOS7
enp0s8: 10.10.10.11/24
enp0s9: 20.20.20.11/24
User: bastionuser

2. Webserver
Operating System: CentOS7
enp0s3: 10.10.10.12/24
User: webuser

3. Fileserver
Operating System: CentOS7
enp0s3: 10.10.10.13/24
User: user1

4. TestClient (Considered as Internet User)
Operating System: CentOS7
enp0s3: 20.20.20.15/24
User: client1

Logical Diagram
----------------

TestClient(20.20.20.15) ===>> (20.20.20.11)BastionHost(10.10.10.11) ===> Virtual Switch LAN ===> Webserver(10.10.10.12) / Fileserver(10.10.10.13)

Manual connection (ssh)
------------------------

From "TestClient" (Internet), to connect host "Webserver" or "Fileserver" on the LAN, first ssh to "BastionHost" and from BastionHost again ssh to "Webserver"/"Fileserver".


How it should work?

For example;

"Webuser" who belongs to Web Developer group should be able to connect only web server and its service only via SSH.

User1 who belongs to Database Admin should be able to connect only to file server only via SSH.

He wants "Bastion Host" to allow/deny based on group roles and permission.

Is there any method where i can achieve this?

OR
===

Like:

Doing ssh to BastionHost using ssh webuser@bastion will connect to "Webserver" and ssh to BastionHost using ssh user1@bastion will connect to "Fileserver"...


Thanks

Tashi

Yes, but from what I recall CentOS 7 has an old, almost outdated version of OpenSSH (6.6.1p). As such it lacks the ProxyJump (-J) option so you will have to do it the old way with ProxyCommand and stdio forwarding. See Old Methods of Passing Through Jump Hosts in the Wikibook on OpenSSH for a walkthrough.

As far as using the bastion host to allow or deny users, see the manual page for sshd_config:

In particular see Match and AllowGroups.

You may have to deal with the groups on the destination machines themselves and not the bastion.

Hi,

I have got following "ProxyCommand" configured in my From "TestClient" machine i tried doing "ssh" as follows but seems not working:
I tried with IP address:
To testing purpose i tried using following which seems working:
Any mistakes with my ProxyCommand?

I used https://en.wikibooks.org/wiki/OpenSS...ugh_Jump_Hosts as reference.

Thanks

Yes, it looks like a colon : is missing from your ProxyCommand between %h and %p.

Testing the middle part also, can you connect to the bastion with ssh bastion alone?

Here is the corrected one:

Still the issue is same:

[root@localhost ~]# ssh fileserver
ssh: Could not resolve hostname fileserver: Name or service not known
[root@localhost ~]#

[root@localhost ~]# ssh 10.10.10.13
ssh: connect to host 10.10.10.13 port 22: No route to host
[root@localhost ~]#

I can connect bastion using IP Address, can't connect using "ssh bastion" it says "ssh: Could not resolve hostname bastion: Name or service not known"

What is the purpose of following line:

IdentityFile /home/bastionuser/.ssh/machine1_e25519

Ok. That is the first of the problems. I see that you are using root. In which account did you put the client configuration file? If you are always going to be using root, which is a faux pas, then you can put it in ~root/.ssh/config and if you are going to be using another account, then drop root and use the correct account.

If you are using keys, then you need to tell the SSH client which key to use for which host. See the manual page for any of the SSH client configuration options:

I am not using keys for ssh, it is just a basic ssh.

I tried changing the user to 'root' as config file is located ~/.ssh/config but still I cannot do ssh. Following are the config (modified):

What is then in /root/.ssh/config?

It should be more or less this:

Mind that you do not comment out the Host configuration directives with pound signs #
The one you have posted above will not work because of that.

Yes, that's true. I have exact the same configuration shown below in my ~/.ssh/config OR /root/.ssh/config.
Just for testing purpose I tried using following line which is working just fine:
Reference from your previous post "http://www.linuxquestions.org/questi...sh-4175590163/"

The only thing is I cannot ssh using ssh fileserver or ssh 10.10.10.13.

When use ssh fileserver it says:
[root@localhost ~]# ssh fileserver
ssh: Could not resolve hostname fileserver: Name or service not known

When i use ssh 10.10.10.13 it says:
[root@localhost ~]# ssh 10.10.10.13
ssh: connect to host 10.10.10.13 port 22: No route to host

Can you log into the bastion with the shortcut? That is what you need to be debugging.

Yes I can login:

What if you look at a more verbose connection attempt?

Also, which distro are you connecting from if I may ask?

Hi Turbocapitalist,

I tried restarting still the problem is same.

Thanks

Here what I have done:
When I ssh directly to "bastion" from "linuxclient" I can connect:
All the machines bastion, fileserver, linuxclient are running with CentOS 7.

Connecting to the bastion works, so we don't need to test that anymore. Now we need to debug the stdio forwarding. I'm not surprised that a restart had no effect, that is as it should be.

But you need to find a line like this in one of the -v outputs:

You have the one where it is parsing /etc/ssh/ssh_config but we should confirm if it is reading from the user account's configuration too.

Umm, I cannot find the line as shown above in my debug. I could see only

[root@linuxclient ~]# ssh -v fileserver
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to fileserver [10.10.10.13] port 22.
debug1: connect to address 10.10.10.13 port 22: No route to host
ssh: connect to host fileserver port 22: No route to host

What could be the problem?

Can you tell me why the file named known_hosts is listed under ~/.ssh/?

Very strange.

If you are logging in from the user1 account, try this to force which configuration file the client looks for:

If from another account, adjust the path as needed.

Yes. That's where the client's own known host's key register is kept by default. The public keys of the machines you have already connected to are kept there so that the client can use them next time to verify that you are connecting to the same machine as before. There is a global register in /etc/ssh/ssh_known_hosts which is also used. See the manual page for sshd for an explanation of the format of either register.

Just a Information : the above debug is being done from client machine "linuxclient'. The machines are connected in following manner:

Linuxclient====>bastion====>fileserver

So I will be doing this debug from Linux client rite??

Yes, but NOT as root.

It looks like something is wrong with ~/.ssh/ and or ~/.ssh/config for your normal user account. The client will ignore the directory or file if the permissions or ownerships are wrong.

Edit: the permissions for config should be 600 or 660

( I've tried a few experiments and I would strongly suggest not messing around as root for this so it can be debugged properly. Using root for fiddling around makes a mess, eventually. )

In your regular user's account, make sure that the directory .ssh is owned by that user and not by root and that permissions for .ssh are set to 700. Then for the config file inside .ssh, check that it is owned by that use and not by root

I have fixed all the ~/.ssh/config to users from root.

In Bastion Machine I have configured following in /home/bastionuser/.ssh/config
Just to make sure I have applied following permission to ~/.ssh/config in "Bastion" machine
Following which I have tried so far from "linuxclient" machine:

1. ssh to bastion which seems to be OK
2. ssh to fileserver which is not working
3. ssh -F /home/user1/.ssh/config fileserver
but when i do ls from fileserver to check "/home/user1/.ssh/config"
I tried ssh using following parameter (not proxycommand) which seems ok:
Tried debug mode:
Is there any mistakes/error?

Thanks

That's the exact config file that should be on "linuxclient" instead if you previous diagram is correct. No changes need to be made to the configuration file on "bastion"

And again, it is unwise to be using root to do all this. The connection should be made as a normal user.

I am still facing the issue with ssh from 'linuxclient' to 'fileserver'..

On "linuxclient" try the following:

If that fails, then try it in verbose mode and look for errors or warnings:

That's where 20.20.20.11 is the ip of the bastion and 10.10.10.13 is the ip of the fileserver you are trying to reach behind it.

When i use it is working fine but when i use ssh 10.10.10.13 it gives me following message:
[linuxclient@linuxclient ~]$ ssh 10.10.10.13
ssh: connect to host 10.10.10.13 port 22: Connection timed out
[linuxclient@linuxclient ~]$

Any additional configuration needed?

Thanks

No additional configuration needed. 10.10.10.13 is behind the bastion so it should remain unreachable by direct connections. The use of ProxyCommand is needed and you confirm it works when applied manually with the -o option at runtime.

However, if you want to make the settings permanent and avoid typing them each time you run the SSH client, put them in ~/.ssh/config as mentioned earlier in posts #14 and #18. Note the name of the shortcut. You would not type 'ssh 10.10.10.13' because as you see that would not work. You would instead type 'ssh fileserver' and it will connect you to 10.10.10.13 via the 20.20.20.11 bastion using the configurations in ~/.ssh/config

Ok I got the point but my question;

Let's say 20.20.20.11 is public IP Address which can be ping/icmp by internet user and 10.10.10.13 as a private IP Address behind the bastion/firewall. Now when internet user(any) types ssh fileserver or ssh 10.10.10.13 how the communication takes place? how the bastion will receive the request of ssh fileserver or ssh 10.10.10.13?

Need some guidance please?

The former, 'ssh fileserver', will work. The latter, 'ssh 10.10.10.13', will fail. Only the former has the right settings in ~/.ssh/config

Walk through the configuration given in #14 and #18

The communication to the inside machine happens via the bastion which you have told via the configuration's ProxyCommand which calls the subsequent client using -W to do stdio forwarding for that particular connection onward to the inside host. You can only do that with the config shortcut or by manually using ProxyCommand as an -o option.

If you check you can see that you are logging in first to the bastion then from there onward to the inside machine(s). However, because of the ProxyCommand the bastion is just passing the encrypted connection back and forth.