LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-09-2017, 09:38 PM   #1
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Rep: Reputation: 0
Bastion Host: Implementing ACL with user group and permission


Hi Everyone,

I have an question about implementing ACL based on user groups on bastion host. Recently my boss has asked me to find out the solution about implementing ACL based on user groups.

Scenario

Lets say there are three user groups:

1. Web Developer
2. System Administrator
3. Database Admin

This is how it would be connected via internet using SSH:

Users ----->>--Bastion Host --->>----Server(s) [(Web)|(Database)|(ftp)]

How it should work?

For example;
UserA who belongs to Web Developer group should be able to connect only web server and its service only via SSH.

UserA who belongs to Database Admin should be able to connect only to database server only via SSH.

He wants "Bastion Host" to allow/deny based on group roles and permission.

Is there any method where i can achieve this?

Thanks in advance

Last edited by TashiDuks; 02-09-2017 at 09:39 PM.
 
Old 02-09-2017, 11:00 PM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
There's not really an easy way if any are still playing around on Windows, which is a very big liability these days. On all other options, the easy way is to use the ProxyJump option in ssh_config. It's also available as a runtime argument -J

https://www.openssh.com/txt/release-7.3

Code:
 * ssh(1): Add a ProxyJump option and corresponding -J command-line
   flag to allow simplified indirection through a one or more SSH
   bastions or "jump hosts".
See the manual page for details or various write ups on proxies and jump hosts / bastion hosts. If you use either ProxyJump (-J) or stdio forwarding (-W), you do not need to grant shell access on the jump host. Though you do need to allow login. That apparent contradiction can be solved by sending the SSH client to the background prior to the execution of the remote program (-f), maybe also at the same time as just plain prevention of using any programs at all (-N). If you are using keys, then this can be specified in the bastion / jump host account's authorized_keys file as well to force the issue automatically.

As for the allow or deny, the bastion can have a Match block in the sshd configuration selecting by Group.
 
Old 02-09-2017, 11:12 PM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
An after thought, if you are talking about only port forwarding from the client machines to the internal machines behind the bastion / jump host, then you do not need the options above. In that case you are looking at just port forwarding via a single intermediary host. I haven't seen restrictions like you are talking about but you might be able to do something with the iptables-extensions --gid-owner in iptables because at the SSH server level forwarding is either all on or all the way off. Your designers are probably on GNU/Linux or OS X. Any playing around with Windows will, again, be a liability here.
 
Old 02-10-2017, 12:02 AM   #4
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
An after thought, if you are talking about only port forwarding from the client machines to the internal machines behind the bastion / jump host, then you do not need the options above. In that case you are looking at just port forwarding via a single intermediary host. I haven't seen restrictions like you are talking about but you might be able to do something with the iptables-extensions --gid-owner in iptables because at the SSH server level forwarding is either all on or all the way off. Your designers are probably on GNU/Linux or OS X. Any playing around with Windows will, again, be a liability here.
Hi,

Thanks for the response. Yeah, I have configured my Bastion Host in CentOS 7. It will be helpful what to use to achieve the above stated scenario?

Regards

Tashi

Last edited by TashiDuks; 02-10-2017 at 12:04 AM.
 
Old 02-10-2017, 12:14 AM   #5
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by TashiDuks View Post
Yeah, I have configured my Bastion Host in CentOS 7. It will be helpful what to use to achieve the above stated scenario?
CentOS 7 has OpenSSH 6.6p if I understand correctly. That should be adequate.

However, the real question is what is on the clients. If you want shells on the internal machines, then OpenSSH 7.3 or higher is best. If you are just going to do port forwarding, then it does not matter so much.

Which scenario are you following? Can you give a little more detail?
 
Old 02-10-2017, 01:43 AM   #6
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
CentOS 7 has OpenSSH 6.6p if I understand correctly. That should be adequate.

However, the real question is what is on the clients. If you want shells on the internal machines, then OpenSSH 7.3 or higher is best. If you are just going to do port forwarding, then it does not matter so much.

Which scenario are you following? Can you give a little more detail?
well my scenario is exactly the same as this posted by one of the user, but answer seems to be not clear so i had to re-post.



I want to create a bastion host between a corporate network and a network management network that would look like the following:
User A uses PuTTY to connect to Bastion Host on TCP/2001 (ssh listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host X).
All commands that User A issues is recorded on the bastion host (psacct)
User B uses PuTTY to connect to Bastion Host on TCP/2002 (same ssh process as above is also listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host Y).
All commands that User B issues is recorded on the bastion host (psacct)

It would be real nice to have a simple configuration file that just says:
Bastion Host port 2001 = remote host X port 23
Bastion Host port 2002 = remote host Y port 23
User A authorized Host X & Host Y
User B authorized Host Y only.

Anyone know of anything that does this? If so, or have any ideas - would greatly appreciate.
 
Old 02-10-2017, 02:14 AM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Your system can do that, there is no monolith.

Quote:
Originally Posted by TashiDuks View Post
User A uses PuTTY to connect to Bastion Host on TCP/2001 (ssh listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host X).
All commands that User A issues is recorded on the bastion host (psacct)
User B uses PuTTY to connect to Bastion Host on TCP/2002 (same ssh process as above is also listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host Y).
All commands that User B issues is recorded on the bastion host (psacct)
Like I said, Windows is a big liability here and not just because of the security shortcomings. You really need to have them upgrade to Linux Mint or CentOS or even OS X, really anything modern will do. However we'll ignore that for now, minus Windows, what you describe is easy ...

Established best practices for connecting on SSH these days requires use of keys. The public key on the bastion host can contain a forced command. Set that command to telnet hostx 23 for user A. For user B, set theirs to telnet hosty 23. See the manual page for sshd in the section "AUTHORIZED_KEYS FILE FORMAT" for the details.

Steps:

1) make accounts for users A and B on the bastion

2) set up key based authentication for said users
2a) set up read-only keys if that is needed
3) modify keys in authorized_keys to force commands for said users

See the references in the earlier posts.

psacct should pick that much up, but probably won't pick up the contents of the Telnet session. If you are talking about logging the contents of the Telnet session itself, then you can use script, called from each user's key.

Code:
command="script --quiet --append --flush --command 'telnet hostx 23' /var/log/telnet.usera.log" ...
It's been a while since I've looked at telnet so I can't recall if it can escape to the shell. If so then you'll want to use a restricted shell like rbash. That would be step 4.

Last edited by Turbocapitalist; 02-10-2017 at 02:15 AM.
 
Old 02-10-2017, 02:19 AM   #8
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Your system can do that, there is no monolith.



Like I said, Windows is a big liability here and not just because of the security shortcomings. You really need to have them upgrade to Linux Mint or CentOS or even OS X, really anything modern will do. However we'll ignore that for now, minus Windows, what you describe is easy ...

Established best practices for connecting on SSH these days requires use of keys. The public key on the bastion host can contain a forced command. Set that command to telnet hostx 23 for user A. For user B, set theirs to telnet hosty 23. See the manual page for sshd in the section "AUTHORIZED_KEYS FILE FORMAT" for the details.

Steps:

1) make accounts for users A and B on the bastion

2) set up key based authentication for said users
2a) set up read-only keys if that is needed
3) modify keys in authorized_keys to force commands for said users

See the references in the earlier posts.

psacct should pick that much up, but probably won't pick up the contents of the Telnet session. If you are talking about logging the contents of the Telnet session itself, then you can use script, called from each user's key.

Code:
command="script --quiet --append --flush --command 'telnet hostx 23' /var/log/telnet.usera.log" ...
It's been a while since I've looked at telnet so I can't recall if it can escape to the shell. If so then you'll want to use a restricted shell like rbash. That would be step 4.
Is there any web links where i can get the reference to configure this??

Regards
 
Old 02-10-2017, 02:22 AM   #9
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by TashiDuks View Post
Is there any web links where i can get the reference to configure this??
Yes. I've included all the links, except for the manual pages. You'll have to read the manual pages for sshd_config, sshd, and the above wikibook chapter sections.

Code:
man sshd_config
man sshd
man script
man telnet
man man
 
Old 02-10-2017, 03:56 AM   #10
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
SSH Keys are the simple way to do this and if they do enough for you then that is what is recommended, however it isn't enough then you can also use outbound rules in iptables to do this, not familiar if firewalld supports it tho and firewalld is default for CentOS 7.

I believe in iptables you can do this: iptables -A OUTPUT -p tcp --dport 22 -d <destination address> -m owner --uid-owner <user> -j ACCEPT

you'd need to carefully configure the whole OUTPUT chain if you went this far tho, but it is an option. Again there maybe a firewalld method to do it but I am not overly familiar with firewalld. Consider this the far more paranoid way of doing it, would still recommend using SSH Keys if you did set this up anyways.

Last edited by r3sistance; 02-10-2017 at 05:51 AM.
 
Old 03-02-2017, 01:10 AM   #11
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Hi Everyone,

This post is continuation to above stated post with clear picture on WHAT I WANT TO ACHIEVE??.

Connection Overview (All are running in Oracle Virtual Box)
-----------------------------------------------------------
1. BastionHost
Operating System: CentOS7
enp0s8: 10.10.10.11/24
enp0s9: 20.20.20.11/24
User: bastionuser

2. Webserver
Operating System: CentOS7
enp0s3: 10.10.10.12/24
User: webuser

3. Fileserver
Operating System: CentOS7
enp0s3: 10.10.10.13/24
User: user1

4. TestClient (Considered as Internet User)
Operating System: CentOS7
enp0s3: 20.20.20.15/24
User: client1

Logical Diagram
----------------

TestClient(20.20.20.15) ===>> (20.20.20.11)BastionHost(10.10.10.11) ===> Virtual Switch LAN ===> Webserver(10.10.10.12) / Fileserver(10.10.10.13)

Manual connection (ssh)
------------------------

From "TestClient" (Internet), to connect host "Webserver" or "Fileserver" on the LAN, first ssh to "BastionHost" and from BastionHost again ssh to "Webserver"/"Fileserver".


How it should work?

For example;

"Webuser" who belongs to Web Developer group should be able to connect only web server and its service only via SSH.

User1 who belongs to Database Admin should be able to connect only to file server only via SSH.

He wants "Bastion Host" to allow/deny based on group roles and permission.

Is there any method where i can achieve this?

OR
===

Like:

Doing ssh to BastionHost using ssh webuser@bastion will connect to "Webserver" and ssh to BastionHost using ssh user1@bastion will connect to "Fileserver"...


Thanks

Tashi

Last edited by TashiDuks; 03-02-2017 at 01:14 AM.
 
Old 03-02-2017, 01:59 AM   #12
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by TashiDuks View Post
Is there any method where i can achieve this?
Yes, but from what I recall CentOS 7 has an old, almost outdated version of OpenSSH (6.6.1p). As such it lacks the ProxyJump (-J) option so you will have to do it the old way with ProxyCommand and stdio forwarding. See Old Methods of Passing Through Jump Hosts in the Wikibook on OpenSSH for a walkthrough.

As far as using the bastion host to allow or deny users, see the manual page for sshd_config:

Code:
man sshd_config
In particular see Match and AllowGroups.

You may have to deal with the groups on the destination machines themselves and not the bastion.
 
Old 03-07-2017, 10:49 PM   #13
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Yes, but from what I recall CentOS 7 has an old, almost outdated version of OpenSSH (6.6.1p). As such it lacks the ProxyJump (-J) option so you will have to do it the old way with ProxyCommand and stdio forwarding. See Old Methods of Passing Through Jump Hosts in the Wikibook on OpenSSH for a walkthrough.

As far as using the bastion host to allow or deny users, see the manual page for sshd_config:

Code:
man sshd_config
In particular see Match and AllowGroups.

You may have to deal with the groups on the destination machines themselves and not the bastion.
Hi,

I have got following "ProxyCommand" configured in my
Code:
~/.ssh/config
Code:
#Jump Host. Directly reachable
Host bastion
        HostName 20.20.20.11
        User bastionuser
        Port 22

#Host to Fileserver via Bastion
Host fileserver
        HostName 10.10.10.13
        User linuxclient
        ProxyCommand ssh -W %h %p bastion
From "TestClient" machine i tried doing "ssh" as follows but seems not working:
Code:
[root@localhost ~]# ssh fileserver
ssh: Could not resolve hostname fileserver: Name or service not known
[root@localhost ~]#
I tried with IP address:
Code:
[root@localhost ~]# ssh 10.10.10.13
ssh: connect to host 10.10.10.13 port 22: No route to host
[root@localhost ~]#
To testing purpose i tried using following which seems working:
Code:
[root@localhost ~]# ssh -A -t -l root 20.20.20.11 ssh -A -t -l root 10.10.10.13
root@20.20.20.11's password: 
root@10.10.10.13's password: 
Last login: Thu Mar  2 11:53:27 2017
[root@fileserver ~]#
Any mistakes with my ProxyCommand?

I used https://en.wikibooks.org/wiki/OpenSS...ugh_Jump_Hosts as reference.

Thanks

Last edited by TashiDuks; 03-07-2017 at 10:50 PM.
 
Old 03-07-2017, 11:02 PM   #14
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Yes, it looks like a colon : is missing from your ProxyCommand between %h and %p.

Testing the middle part also, can you connect to the bastion with ssh bastion alone?

Code:
Host bastion
        Hostname 20.20.20.11
        User bastionuser
        IdentityFile /home/bastionuser/.ssh/machine1_e25519
        Port 22

Host fileserver
        Hostname 10.10.10.13
        User linuxclient
        IdentityFile /home/linuxclient/.ssh/machine2_e25519
        Port 22
        ProxyCommand ssh -W %h:%p bastion
 
Old 03-07-2017, 11:12 PM   #15
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Yes, it looks like a colon : is missing from your ProxyCommand between %h and %p.

Testing the middle part also, can you connect to the bastion with ssh bastion alone?

Code:
Host bastion
        Hostname 20.20.20.11
        User bastionuser
        IdentityFile /home/bastionuser/.ssh/machine1_e25519
        Port 22

Host fileserver
        Hostname 10.10.10.13
        User linuxclient
        IdentityFile /home/linuxclient/.ssh/machine2_e25519
        Port 22
        ProxyCommand ssh -W %h:%p bastion
Here is the corrected one:

Code:
#Jump Host. Directly reachable
Host bastion
        HostName 20.20.20.11
        User bastionuser
        IdentityFile /home/bastionuser/.ssh/machine1_e25519
        Port 22

#Host to Fileserver via Bastion
Host fileserver
        HostName 10.10.10.13
        User linuxclient
        IdentityFile /home/bastionuser/.ssh/machine1_e25519
        Port 22
        ProxyCommand ssh -W %h:%p bastion
Still the issue is same:

[root@localhost ~]# ssh fileserver
ssh: Could not resolve hostname fileserver: Name or service not known
[root@localhost ~]#


[root@localhost ~]# ssh 10.10.10.13
ssh: connect to host 10.10.10.13 port 22: No route to host
[root@localhost ~]#


I can connect bastion using IP Address, can't connect using "ssh bastion" it says "ssh: Could not resolve hostname bastion: Name or service not known"

What is the purpose of following line:

IdentityFile /home/bastionuser/.ssh/machine1_e25519

Last edited by TashiDuks; 03-07-2017 at 11:13 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bastion Host ek192010 Linux - Networking 1 10-24-2012 02:13 AM
[SOLVED] user removed from one group can still get that group's permission LanFan.BlueSailor Linux - Security 11 08-23-2012 12:32 AM
freeradius User/Group ACL vikki Linux - Server 1 02-17-2011 08:19 AM
To apply acl for two diffrent user,group in RHEL5,Squid 2.6 mbnaik Linux - Enterprise 0 10-01-2007 10:27 AM
Bastion Host gfdecaires Linux - Networking 0 10-13-2005 06:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration