LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-16-2017, 12:38 AM   #31
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784

Quote:
Originally Posted by TashiDuks View Post
I have fixed all the ~/.ssh/config to users from root.

In Bastion Machine I have configured following in /home/bastionuser/.ssh/config
That's the exact config file that should be on "linuxclient" instead if you previous diagram is correct. No changes need to be made to the configuration file on "bastion"

And again, it is unwise to be using root to do all this. The connection should be made as a normal user.
 
Old 03-17-2017, 01:21 AM   #32
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
That's the exact config file that should be on "linuxclient" instead if you previous diagram is correct. No changes need to be made to the configuration file on "bastion"

And again, it is unwise to be using root to do all this. The connection should be made as a normal user.
I am still facing the issue with ssh from 'linuxclient' to 'fileserver'..
 
Old 03-17-2017, 02:54 AM   #33
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
On "linuxclient" try the following:

Code:
ssh -o ProxyCommand="ssh -W %h:%p 20.20.20.11" 10.10.10.13
If that fails, then try it in verbose mode and look for errors or warnings:

Code:
ssh -v -o ProxyCommand="ssh -W %h:%p 20.20.20.11" 10.10.10.13
That's where 20.20.20.11 is the ip of the bastion and 10.10.10.13 is the ip of the fileserver you are trying to reach behind it.

Last edited by Turbocapitalist; 03-17-2017 at 02:57 AM.
 
Old 04-13-2017, 12:33 AM   #34
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
On "linuxclient" try the following:

Code:
ssh -o ProxyCommand="ssh -W %h:%p 20.20.20.11" 10.10.10.13
If that fails, then try it in verbose mode and look for errors or warnings:

Code:
ssh -v -o ProxyCommand="ssh -W %h:%p 20.20.20.11" 10.10.10.13
That's where 20.20.20.11 is the ip of the bastion and 10.10.10.13 is the ip of the fileserver you are trying to reach behind it.
When i use
Code:
ssh -o ProxyCommand="ssh -W %h:%p 20.20.20.11" 10.10.10.13
it is working fine but when i use ssh 10.10.10.13 it gives me following message:
[linuxclient@linuxclient ~]$ ssh 10.10.10.13
ssh: connect to host 10.10.10.13 port 22: Connection timed out
[linuxclient@linuxclient ~]$

Any additional configuration needed?

Thanks
 
Old 04-13-2017, 01:17 AM   #35
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
No additional configuration needed. 10.10.10.13 is behind the bastion so it should remain unreachable by direct connections. The use of ProxyCommand is needed and you confirm it works when applied manually with the -o option at runtime.

However, if you want to make the settings permanent and avoid typing them each time you run the SSH client, put them in ~/.ssh/config as mentioned earlier in posts #14 and #18. Note the name of the shortcut. You would not type 'ssh 10.10.10.13' because as you see that would not work. You would instead type 'ssh fileserver' and it will connect you to 10.10.10.13 via the 20.20.20.11 bastion using the configurations in ~/.ssh/config
 
Old 04-13-2017, 01:49 AM   #36
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
No additional configuration needed. 10.10.10.13 is behind the bastion so it should remain unreachable by direct connections. The use of ProxyCommand is needed and you confirm it works when applied manually with the -o option at runtime.

However, if you want to make the settings permanent and avoid typing them each time you run the SSH client, put them in ~/.ssh/config as mentioned earlier in posts #14 and #18. Note the name of the shortcut. You would not type 'ssh 10.10.10.13' because as you see that would not work. You would instead type 'ssh fileserver' and it will connect you to 10.10.10.13 via the 20.20.20.11 bastion using the configurations in ~/.ssh/config
Ok I got the point but my question;

Let's say 20.20.20.11 is public IP Address which can be ping/icmp by internet user and 10.10.10.13 as a private IP Address behind the bastion/firewall. Now when internet user(any) types ssh fileserver or ssh 10.10.10.13 how the communication takes place? how the bastion will receive the request of ssh fileserver or ssh 10.10.10.13?

Need some guidance please?
 
Old 04-13-2017, 02:18 AM   #37
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by TashiDuks View Post
Let's say 20.20.20.11 is public IP Address which can be ping/icmp by internet user and 10.10.10.13 as a private IP Address behind the bastion/firewall. Now when internet user(any) types ssh fileserver or ssh 10.10.10.13 how the communication takes place?
The former, 'ssh fileserver', will work. The latter, 'ssh 10.10.10.13', will fail. Only the former has the right settings in ~/.ssh/config

Quote:
Originally Posted by TashiDuks View Post
how the bastion will receive the request of ssh fileserver or ssh 10.10.10.13?
Walk through the configuration given in #14 and #18

The communication to the inside machine happens via the bastion which you have told via the configuration's ProxyCommand which calls the subsequent client using -W to do stdio forwarding for that particular connection onward to the inside host. You can only do that with the config shortcut or by manually using ProxyCommand as an -o option.

If you check you can see that you are logging in first to the bastion then from there onward to the inside machine(s). However, because of the ProxyCommand the bastion is just passing the encrypted connection back and forth.

Last edited by Turbocapitalist; 04-13-2017 at 02:31 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bastion Host ek192010 Linux - Networking 1 10-24-2012 02:13 AM
[SOLVED] user removed from one group can still get that group's permission LanFan.BlueSailor Linux - Security 11 08-23-2012 12:32 AM
freeradius User/Group ACL vikki Linux - Server 1 02-17-2011 08:19 AM
To apply acl for two diffrent user,group in RHEL5,Squid 2.6 mbnaik Linux - Enterprise 0 10-01-2007 10:27 AM
Bastion Host gfdecaires Linux - Networking 0 10-13-2005 06:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration