Bastion Host: Implementing ACL with user group and permission
Hi Everyone,
I have an question about implementing ACL based on user groups on bastion host. Recently my boss has asked me to find out the solution about implementing ACL based on user groups. Scenario Lets say there are three user groups: 1. Web Developer 2. System Administrator 3. Database Admin This is how it would be connected via internet using SSH: Users ----->>--Bastion Host --->>----Server(s) [(Web)|(Database)|(ftp)] How it should work? For example; UserA who belongs to Web Developer group should be able to connect only web server and its service only via SSH. UserA who belongs to Database Admin should be able to connect only to database server only via SSH. He wants "Bastion Host" to allow/deny based on group roles and permission. Is there any method where i can achieve this? Thanks in advance |
There's not really an easy way if any are still playing around on Windows, which is a very big liability these days. On all other options, the easy way is to use the ProxyJump option in ssh_config. It's also available as a runtime argument -J
https://www.openssh.com/txt/release-7.3 Code:
* ssh(1): Add a ProxyJump option and corresponding -J command-line As for the allow or deny, the bastion can have a Match block in the sshd configuration selecting by Group. |
An after thought, if you are talking about only port forwarding from the client machines to the internal machines behind the bastion / jump host, then you do not need the options above. In that case you are looking at just port forwarding via a single intermediary host. I haven't seen restrictions like you are talking about but you might be able to do something with the iptables-extensions --gid-owner in iptables because at the SSH server level forwarding is either all on or all the way off. Your designers are probably on GNU/Linux or OS X. Any playing around with Windows will, again, be a liability here.
|
Quote:
Thanks for the response. Yeah, I have configured my Bastion Host in CentOS 7. It will be helpful what to use to achieve the above stated scenario? Regards Tashi |
Quote:
However, the real question is what is on the clients. If you want shells on the internal machines, then OpenSSH 7.3 or higher is best. If you are just going to do port forwarding, then it does not matter so much. Which scenario are you following? Can you give a little more detail? |
Quote:
I want to create a bastion host between a corporate network and a network management network that would look like the following: User A uses PuTTY to connect to Bastion Host on TCP/2001 (ssh listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host X). All commands that User A issues is recorded on the bastion host (psacct) User B uses PuTTY to connect to Bastion Host on TCP/2002 (same ssh process as above is also listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host Y). All commands that User B issues is recorded on the bastion host (psacct) It would be real nice to have a simple configuration file that just says: Bastion Host port 2001 = remote host X port 23 Bastion Host port 2002 = remote host Y port 23 User A authorized Host X & Host Y User B authorized Host Y only. Anyone know of anything that does this? If so, or have any ideas - would greatly appreciate. |
Your system can do that, there is no monolith.
Quote:
Established best practices for connecting on SSH these days requires use of keys. The public key on the bastion host can contain a forced command. Set that command to telnet hostx 23 for user A. For user B, set theirs to telnet hosty 23. See the manual page for sshd in the section "AUTHORIZED_KEYS FILE FORMAT" for the details. Steps: 1) make accounts for users A and B on the bastion 2) set up key based authentication for said users 2a) set up read-only keys if that is needed3) modify keys in authorized_keys to force commands for said users See the references in the earlier posts. psacct should pick that much up, but probably won't pick up the contents of the Telnet session. If you are talking about logging the contents of the Telnet session itself, then you can use script, called from each user's key. Code:
command="script --quiet --append --flush --command 'telnet hostx 23' /var/log/telnet.usera.log" ... |
Quote:
Regards |
Quote:
Code:
man sshd_config |
SSH Keys are the simple way to do this and if they do enough for you then that is what is recommended, however it isn't enough then you can also use outbound rules in iptables to do this, not familiar if firewalld supports it tho and firewalld is default for CentOS 7.
I believe in iptables you can do this: iptables -A OUTPUT -p tcp --dport 22 -d <destination address> -m owner --uid-owner <user> -j ACCEPT you'd need to carefully configure the whole OUTPUT chain if you went this far tho, but it is an option. Again there maybe a firewalld method to do it but I am not overly familiar with firewalld. Consider this the far more paranoid way of doing it, would still recommend using SSH Keys if you did set this up anyways. |
Hi Everyone,
This post is continuation to above stated post with clear picture on WHAT I WANT TO ACHIEVE??. Connection Overview (All are running in Oracle Virtual Box) ----------------------------------------------------------- 1. BastionHost Operating System: CentOS7 enp0s8: 10.10.10.11/24 enp0s9: 20.20.20.11/24 User: bastionuser 2. Webserver Operating System: CentOS7 enp0s3: 10.10.10.12/24 User: webuser 3. Fileserver Operating System: CentOS7 enp0s3: 10.10.10.13/24 User: user1 4. TestClient (Considered as Internet User) Operating System: CentOS7 enp0s3: 20.20.20.15/24 User: client1 Logical Diagram ---------------- TestClient(20.20.20.15) ===>> (20.20.20.11)BastionHost(10.10.10.11) ===> Virtual Switch LAN ===> Webserver(10.10.10.12) / Fileserver(10.10.10.13) Manual connection (ssh) ------------------------ From "TestClient" (Internet), to connect host "Webserver" or "Fileserver" on the LAN, first ssh to "BastionHost" and from BastionHost again ssh to "Webserver"/"Fileserver". How it should work? For example; "Webuser" who belongs to Web Developer group should be able to connect only web server and its service only via SSH. User1 who belongs to Database Admin should be able to connect only to file server only via SSH. He wants "Bastion Host" to allow/deny based on group roles and permission. Is there any method where i can achieve this? OR === Like: Doing ssh to BastionHost using ssh webuser@bastion will connect to "Webserver" and ssh to BastionHost using ssh user1@bastion will connect to "Fileserver"... Thanks Tashi |
Quote:
As far as using the bastion host to allow or deny users, see the manual page for sshd_config: Code:
man sshd_config You may have to deal with the groups on the destination machines themselves and not the bastion. |
Quote:
I have got following "ProxyCommand" configured in my Code:
~/.ssh/config Code:
#Jump Host. Directly reachable Code:
[root@localhost ~]# ssh fileserver Code:
[root@localhost ~]# ssh 10.10.10.13 Code:
[root@localhost ~]# ssh -A -t -l root 20.20.20.11 ssh -A -t -l root 10.10.10.13 I used https://en.wikibooks.org/wiki/OpenSS...ugh_Jump_Hosts as reference. Thanks |
Yes, it looks like a colon : is missing from your ProxyCommand between %h and %p.
Testing the middle part also, can you connect to the bastion with ssh bastion alone? Code:
Host bastion |
Quote:
Code:
#Jump Host. Directly reachable [root@localhost ~]# ssh fileserver ssh: Could not resolve hostname fileserver: Name or service not known [root@localhost ~]# [root@localhost ~]# ssh 10.10.10.13 ssh: connect to host 10.10.10.13 port 22: No route to host [root@localhost ~]# I can connect bastion using IP Address, can't connect using "ssh bastion" it says "ssh: Could not resolve hostname bastion: Name or service not known" What is the purpose of following line: IdentityFile /home/bastionuser/.ssh/machine1_e25519 |
Quote:
Quote:
Code:
man ssh_config |
Quote:
Quote:
Quote:
Code:
#Jump Host. Directly reachable |
What is then in /root/.ssh/config?
It should be more or less this: Code:
#Jump Host. Directly reachable The one you have posted above will not work because of that. |
Quote:
Code:
#Jump Host. Directly reachable Code:
ssh -t root@20.20.20.11 'ssh user1@10.10.10.13' The only thing is I cannot ssh using ssh fileserver or ssh 10.10.10.13. When use ssh fileserver it says: [root@localhost ~]# ssh fileserver ssh: Could not resolve hostname fileserver: Name or service not known When i use ssh 10.10.10.13 it says: [root@localhost ~]# ssh 10.10.10.13 ssh: connect to host 10.10.10.13 port 22: No route to host |
Quote:
Code:
ssh bastion |
Quote:
Code:
[root@localhost ~]# ssh bastion |
What if you look at a more verbose connection attempt?
Code:
ssh -v fileserver Code:
lsb_release -rd |
Quote:
I tried restarting still the problem is same. Thanks |
Quote:
Code:
[root@linuxclient ~]# ssh -v fileserver Code:
[root@linuxclient ~]# ssh bastion Quote:
|
Connecting to the bastion works, so we don't need to test that anymore. Now we need to debug the stdio forwarding. I'm not surprised that a restart had no effect, that is as it should be.
But you need to find a line like this in one of the -v outputs: Code:
debug1: /home/user1/.ssh/config line n: Applying options for fileserver |
Quote:
[root@linuxclient ~]# ssh -v fileserver OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to fileserver [10.10.10.13] port 22. debug1: connect to address 10.10.10.13 port 22: No route to host ssh: connect to host fileserver port 22: No route to host What could be the problem? Can you tell me why the file named known_hosts is listed under ~/.ssh/? Code:
# ls |
Quote:
If you are logging in from the user1 account, try this to force which configuration file the client looks for: Code:
ssh -F /home/user1/.ssh/config fileserver Quote:
|
Quote:
Linuxclient====>bastion====>fileserver So I will be doing this debug from Linux client rite?? Code:
ssh -F /home/user1/.ssh/config fileserver |
Quote:
It looks like something is wrong with ~/.ssh/ and or ~/.ssh/config for your normal user account. The client will ignore the directory or file if the permissions or ownerships are wrong. Edit: the permissions for config should be 600 or 660 ( I've tried a few experiments and I would strongly suggest not messing around as root for this so it can be debugged properly. Using root for fiddling around makes a mess, eventually. ) In your regular user's account, make sure that the directory .ssh is owned by that user and not by root and that permissions for .ssh are set to 700. Then for the config file inside .ssh, check that it is owned by that use and not by root |
Quote:
In Bastion Machine I have configured following in /home/bastionuser/.ssh/config Code:
#Jump Host. Directly reachable Code:
chmod 600 ~/.ssh/config 1. ssh to bastion which seems to be OK Code:
[linuxclient@linuxclient ~]$ ssh bastionuser@bastion Code:
[linuxclient@linuxclient ~]$ ssh user1@fileserver Code:
[linuxclient@linuxclient ~]$ ssh -F /home/user1/.ssh/config fileserver Code:
[user1@fileserver ~]$ ls -la ~/.ssh/ Code:
[linuxclient@linuxclient ~]$ ssh -t bastionuser@20.20.20.11 'ssh user1@10.10.10.13' Code:
[linuxclient@linuxclient ~]$ ssh -v fileserver Thanks |
Quote:
And again, it is unwise to be using root to do all this. The connection should be made as a normal user. |
Quote:
|
On "linuxclient" try the following:
Code:
ssh -o ProxyCommand="ssh -W %h:%p 20.20.20.11" 10.10.10.13 Code:
ssh -v -o ProxyCommand="ssh -W %h:%p 20.20.20.11" 10.10.10.13 |
Quote:
Code:
ssh -o ProxyCommand="ssh -W %h:%p 20.20.20.11" 10.10.10.13 [linuxclient@linuxclient ~]$ ssh 10.10.10.13 ssh: connect to host 10.10.10.13 port 22: Connection timed out [linuxclient@linuxclient ~]$ Any additional configuration needed? Thanks |
No additional configuration needed. 10.10.10.13 is behind the bastion so it should remain unreachable by direct connections. The use of ProxyCommand is needed and you confirm it works when applied manually with the -o option at runtime.
However, if you want to make the settings permanent and avoid typing them each time you run the SSH client, put them in ~/.ssh/config as mentioned earlier in posts #14 and #18. Note the name of the shortcut. You would not type 'ssh 10.10.10.13' because as you see that would not work. You would instead type 'ssh fileserver' and it will connect you to 10.10.10.13 via the 20.20.20.11 bastion using the configurations in ~/.ssh/config |
Quote:
Let's say 20.20.20.11 is public IP Address which can be ping/icmp by internet user and 10.10.10.13 as a private IP Address behind the bastion/firewall. Now when internet user(any) types ssh fileserver or ssh 10.10.10.13 how the communication takes place? how the bastion will receive the request of ssh fileserver or ssh 10.10.10.13? Need some guidance please? |
Quote:
Quote:
The communication to the inside machine happens via the bastion which you have told via the configuration's ProxyCommand which calls the subsequent client using -W to do stdio forwarding for that particular connection onward to the inside host. You can only do that with the config shortcut or by manually using ProxyCommand as an -o option. If you check you can see that you are logging in first to the bastion then from there onward to the inside machine(s). However, because of the ProxyCommand the bastion is just passing the encrypted connection back and forth. |
All times are GMT -5. The time now is 12:16 AM. |