The SSH jump server is the proxy between the client and the rest of the SSH fleet. Jump hosts minimize threats by forcing all SSH traffic through a single enhanced location and minimizing SSH endpoints on individual nodes to the outside world. (Read more: “How to set up an SSH jump server”)
One way to configure a multi-hop setup is to store the destination server’s private key on the jump server.Do Absent Do this. Jump servers are typically a multi-user environment. That is, a single party with elevated privileges can compromise the private key. The solution to this security threat is to enable agent forwarding. Given how common this method is, you may be surprised to find that it is not recommended. Let’s dig a little deeper to understand why.
[ Also on InfoWorld: Make life easy with ssh_config ]
How does agent transfer work?
ssh-agent is a key manager that exists as a separate program from SSH. (Read more: “How to manage SSH keys”) Keep the private key and certificate used for authentication in memory. It does not write to disk or export keys. Instead, the agent’s forwarding feature allows the local agent to reach over an existing SSH connection and authenticate with the remote server via an environment variable.
Basically, when the client-side SSH receives the key challenges, the agent forwards these challenges upstream to the local machine. Challenge-response is built over a locally stored private key and forwarded downstream to the destination server for authentication. (Read more: “Explanation of SSH Handshake”)
Behind the scenes, ssh-agent binds to Unix domain sockets to communicate with other programs (
$SSH_AUTH_SOCK Environment variable). The problem is that anyone with root privileges somewhere in the chain can use the created socket to hijack the local ssh-agent. The socket files are well protected by the OS, but the root user can impersonate another user and point the SSH client at his malicious agent. In essence, agent-based transfers are the same as sharing a private key with everyone who has a root on a machine throughout the chain.
In fact, the man page about
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on a remote host (for the agent’s Unix domain socket) can access the local agent through a forwarded connection. An attacker cannot get the key material from the agent, but can perform operations on the key that allows it to authenticate using the ID loaded on the agent.
Use ProxyJump instead
Not really to navigate the jump server necessary Agent transfer.The modern approach is to use
ProxyJump Or the equivalent command line
-J.. (Read more: “SSH configuration: ssh_config”)
Instead of forwarding the key challenge response through the agent
stdout Connection from the local client to the destination host.Like this, we don’t run
ssh At jump.example.com;
sshd Connect directly to myserver.example.com and control connections to local clients.
As an additional benefit, the jump server is encrypted inside the SSH tunnel, so you cannot see the traffic passing through the jump server. The ability to set up a jump server without direct access to the SSH server is an important component of a secure and proper SSH setup.
Multi-hop Proxy Jump
Let’s simulate a more complex scenario. We are trying to access important resources deep inside our corporate network from home. You must first go through the external bastion host with dynamic IP, the internal jump host, and finally reach the resource. Each server must authenticate against a unique local key on the machine. (Read more: “Set up an SSH bastion host”)
Again, the local configuration file contains everything you need to do.
#Used because HostName is unreliable as IP address changes frequently
Now imagine that you need to configure OpenSSH in-house to manage hundreds of environments across multiple cloud providers across the country. (You might ridicule this, but I’ve heard these stories from customers.) It’s impossible to rely solely on runtime commands while claiming to maintain a reliable degree of security.
At this scale, effective management of fleets requires conscious design of subnetworks, DNS, proxy chains, keys, file structures, and more. This can be converted to ~ / .ssh / ssh_config according to a predictable pattern. Or with teleport.
Virag Mody joined the teleport in January 2020 after co-founding a software code auditing company for Ethereum applications. He continues to learn about trending technology and produces high quality written and video content. In his spare time, he enjoys rock climbing, video games and dog walks.
The New Tech Forum provides a forum for exploring and discussing new enterprise technologies with unprecedented depth and breadth. Choices are subjective and are based on technology choices that we believe are of great importance and greatest concern to InfoWorld readers. InfoWorld does not accept marketing materials for publication and reserves the right to edit all contributed content. All inquiries should be sent to email@example.com.
Copyright © 2021 IDG Communications, Inc.
ProxyJump is more secure than SSH agent forwarding
Source link ProxyJump is more secure than SSH agent forwarding