SSH Gateway (not just forwarding) with command logging

cejennings_cr · 10-16-2008, 09:45 AM

I want to create a bastion host between a corporate network and a network management network that would look like the following:

User A uses PuTTY to connect to Bastion Host on TCP/2001 (ssh listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host X).
All commands that User A issues is recorded on the bastion host (psacct)
User B uses PuTTY to connect to Bastion Host on TCP/2002 (same ssh process as above is also listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host Y).
All commands that User B issues is recorded on the bastion host (psacct)

It would be real nice to have a simple configuration file that just says:

Bastion Host port 2001 = remote host X port 23
Bastion Host port 2002 = remote host Y port 23
User A authorized Host X & Host Y
User B authorized Host Y only.

Anyone know of anything that does this? If so, or have any ideas - would greatly appreciate.

slimm609 · 10-16-2008, 11:09 AM

You could just use a script to do something similar but run it on the same port.

make 2 groups
Group A id=1001
Group B id=1002

Code:

#!/bin/bash

#trap any type of escape chars.
trap '' 1 2 3 4 5 6 9 15 19 20

id -G | grep 1001
GROUPA=`echo $?`

if -G | grep 1002
GROUPB=`echo $?`

userdc() {
kill -9 `ps | awk '{ print $1}'` > /dev/null 2>&1
}

if [ "X$GROUPA" == "X0" ]; then
 while [ true ]; do
      echo "Please make a selection ( 1 2 3)"
      echo "1. Telnet Host X"
      echo "2. Telnet Host Y"
      echo "3. Exit"
      read ANSWER
           if [ "$ANSWER" == "1" ]; then
                telnet x.x.x.x 
           elif [ "$ANSWER" == "2" ]; then
  	  telnet y.y.y.y 
           elif [ "$ANSWER" == "3" ]; then
  	userdc
           else
              echo "not a vaild selection.  Try again"
           fi

  done
elif [ "X$GROUPB" == "X0" ]; then
while [ true ]; do
   echo "Please make a selection ( 1 2 )"
   echo "1. Telnet Host Y"
   echo "2. Exit"
   read ANSWER
           if [ "$ANSWER" == "1" ]; then
                telnet y.y.y.y
           elif [ "$ANSWER" == "2" ]; then
  	userdc
           else
              echo "not a vaild selection.  Try again"
           fi
  done
else 
 #DC the user... No questions asked
 userdc
fi

havent tested it but something similar should do the job.

then just call it from

/etc/bashrc

TashiDuks · 02-09-2017, 10:27 PM

Quote:

Originally Posted by cejennings_cr

I want to create a bastion host between a corporate network and a network management network that would look like the following:

User A uses PuTTY to connect to Bastion Host on TCP/2001 (ssh listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host X).
All commands that User A issues is recorded on the bastion host (psacct)
User B uses PuTTY to connect to Bastion Host on TCP/2002 (same ssh process as above is also listening here) and the bastion host redirects to a Telnet (TCP/23) connection to old non-ssh capable device (Host Y).
All commands that User B issues is recorded on the bastion host (psacct)

It would be real nice to have a simple configuration file that just says:

Bastion Host port 2001 = remote host X port 23
Bastion Host port 2002 = remote host Y port 23
User A authorized Host X & Host Y
User B authorized Host Y only.

Anyone know of anything that does this? If so, or have any ideas - would greatly appreciate.

Hi,

I am also looking for similar kind of solution for my bastion host. I too posted on same topic (https://www.linuxquestions.org/quest...on-4175599413/) and waiting for someone to response.

Since you have already face similar issue. Would you mind to share me about the solution if you dont mind?

It would really help me.

Thanks