Bastion SSH Tunneling: Difference between revisions
Jump to navigation
Jump to search
(27 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Tunnel== | ==Tunnel== | ||
< | <syntaxhighlight lang="bash"> | ||
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | ||
[[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then | [[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then | ||
Line 13: | Line 13: | ||
EOF | EOF | ||
fi | fi | ||
</ | </syntaxhighlight> | ||
==Tunneling== | ==Tunneling== | ||
{| | {| | ||
|valign="top"| | |valign="top"| | ||
< | <syntaxhighlight lang="bash" highlight='8,11,12'> | ||
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | ||
[[ "$(grep -c 'api.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then | [[ "$(grep -c 'api.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then | ||
Line 32: | Line 32: | ||
HostKeyAlgorithms +ssh-rsa | HostKeyAlgorithms +ssh-rsa | ||
User deploy | User deploy | ||
LocalForward 1983 localhost:1983 | |||
LocalForward 2013 localhost:2013 | |||
LocalForward 2015 localhost:2015 | |||
EOF | EOF | ||
fi | fi | ||
</ | </syntaxhighlight> | ||
|valign="top"| | |valign="top"| | ||
< | <syntaxhighlight lang="bash" highlight='8,11,12'> | ||
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | ||
[[ "$(grep -c 'app.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then | [[ "$(grep -c 'app.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then | ||
Line 51: | Line 54: | ||
HostKeyAlgorithms +ssh-rsa | HostKeyAlgorithms +ssh-rsa | ||
User deploy | User deploy | ||
LocalForward 1983 localhost:1983 | |||
LocalForward 2013 localhost:2013 | |||
LocalForward 2015 localhost:2015 | |||
EOF | EOF | ||
fi | fi | ||
</ | </syntaxhighlight> | ||
|- | |- | ||
Line 60: | Line 66: | ||
|- | |- | ||
|valign="top"| | |valign="top"| | ||
< | <syntaxhighlight lang="bash" highlight='8,11,12'> | ||
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | ||
[[ "$(grep -c 'rds.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then | [[ "$(grep -c 'rds.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then | ||
Line 76: | Line 82: | ||
EOF | EOF | ||
fi | fi | ||
</ | </syntaxhighlight> | ||
|valign="bottom"| | |valign="bottom"| | ||
< | <syntaxhighlight lang="bash" highlight='2,7,12'> | ||
# ssh private key | # add ssh private key to the ssh-agent | ||
ssh-add ~/.ssh/app.vpc.chorke.org_rsa | ssh-add ~/.ssh/app.vpc.chorke.org_rsa | ||
ssh-add ~/.ssh/api.vpc.chorke.org_rsa | ssh-add ~/.ssh/api.vpc.chorke.org_rsa | ||
ssh-add ~/.ssh/rds.vpc.chorke.org_rsa | ssh-add ~/.ssh/rds.vpc.chorke.org_rsa | ||
# | # forward ssh key to bastion | ||
ssh -A app.vpc.chorke.org | ssh -A app.vpc.chorke.org | ||
ssh -A api.vpc.chorke.org | ssh -A api.vpc.chorke.org | ||
Line 94: | Line 100: | ||
ssh-add -L | ssh-add -L | ||
ssh-aad -D | ssh-aad -D | ||
</ | </syntaxhighlight> | ||
|} | |||
==Example== | |||
{| | |||
|valign="top"| | |||
<syntaxhighlight lang="bash"> | |||
ssh-copy-id -i\ | |||
${HOME}/.ssh/vpn.shahed.biz_rsa.pub [email protected] | |||
</syntaxhighlight> | |||
|valign="top"| | |||
<syntaxhighlight lang="bash"> | |||
ssh-copy-id -i\ | |||
${HOME}/.ssh/git.shahed.biz_rsa.pub [email protected] | |||
</syntaxhighlight> | |||
|- | |||
|colspan="2"| | |||
---- | |||
|- | |||
|valign="top"| | |||
<syntaxhighlight lang="bash" highlight='9-12'> | |||
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | |||
[[ "$(grep -c 'vpn.shahed.biz' ${HOME}/.ssh/config)" == 0 ]];then | |||
tee -a ${HOME}/.ssh/config >/dev/null <<EOF | |||
# bastion proxy | |||
Host vpn.shahed.biz | |||
HostName vpn.shahed.biz | |||
IdentityFile ~/.ssh/vpn.shahed.biz_rsa | |||
PreferredAuthentications publickey | |||
PubkeyAcceptedKeyTypes +ssh-rsa | |||
HostKeyAlgorithms +ssh-rsa | |||
IdentitiesOnly yes | |||
User bastion | |||
EOF | |||
fi | |||
</syntaxhighlight> | |||
|valign="top"| | |||
<syntaxhighlight lang="bash" highlight='8,10-13'> | |||
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | |||
[[ "$(grep -c 'git.shahed.biz' ${HOME}/.ssh/config)" == 0 ]];then | |||
tee -a ${HOME}/.ssh/config >/dev/null <<EOF | |||
# gitlab jenkins | |||
Host git.shahed.biz | |||
HostName git.shahed.biz | |||
ProxyCommand ssh -qW%h:%p vpn.shahed.biz | |||
IdentityFile ~/.ssh/git.shahed.biz_rsa | |||
PreferredAuthentications publickey | |||
PubkeyAcceptedKeyTypes +ssh-rsa | |||
HostKeyAlgorithms +ssh-rsa | |||
IdentitiesOnly yes | |||
User jenkins | |||
EOF | |||
fi | |||
</syntaxhighlight> | |||
|- | |||
|colspan="2"| | |||
---- | |||
|- | |||
|valign="top"| | |||
<syntaxhighlight lang="bash" highlight='6-12'> | |||
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&& | |||
[[ "$(grep -c 'Host \*' ${HOME}/.ssh/config)" == 0 ]];then | |||
cat <<EOF | tee -a ${HOME}/.ssh/config >/dev/null | |||
# for all host | |||
Host * | |||
PreferredAuthentications publickey | |||
PubkeyAcceptedKeyTypes +ssh-rsa | |||
HostKeyAlgorithms +ssh-rsa | |||
ServerAliveInterval 60 | |||
ServerAliveCountMax 20 | |||
IdentitiesOnly yes | |||
AddressFamily inet | |||
Compression yes | |||
LogLevel INFO | |||
Protocol 2 | |||
EOF | |||
fi | |||
</syntaxhighlight> | |||
|valign="top"| | |||
|} | |} | ||
Line 104: | Line 198: | ||
sudo systemctl status ssh | sudo systemctl status ssh | ||
|valign="top"| | |valign="top" colspan="2"| | ||
<syntaxhighlight lang="bash"> | |||
grep -c '^#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)$' ./sshd_config | |||
grep -c '^#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)$' ./sshd_config | |||
</syntaxhighlight> | |||
|- | |||
|colspan="3"| | |||
---- | |||
|- | |||
|valign="top" colspan="3"| | |||
<syntaxhighlight lang="bash"> | |||
# regexp simple group & escaping | |||
if [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&& | |||
[[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)' /etc/ssh/sshd_config)" == 1 ]];then | |||
sed -z 's/#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)/GatewayPorts yes/' -i /etc/ssh/sshd_config | |||
fi | |||
</syntaxhighlight> | |||
|valign="top"| | |- | ||
|colspan="3"| | |||
---- | |||
|- | |||
|valign="top" colspan="3"| | |||
<syntaxhighlight lang="bash"> | |||
# regexp complex group & escaping | |||
if [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&& | |||
[[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)' /etc/ssh/sshd_config)" == 1 ]];then | |||
sed -z 's/#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)/GatewayPorts yes/' -i /etc/ssh/sshd_config | |||
fi | |||
</syntaxhighlight> | |||
|- | |- | ||
Line 112: | Line 234: | ||
---- | ---- | ||
|- | |- | ||
|valign="top"| | |||
'''# add ssh private key to agent''' | |||
ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa | |||
'''# forwarded private key''' | |||
ssh -A api.vpc.chorke.org | |||
ssh -A app.vpc.chorke.org | |||
|valign="top"| | |valign="top"| | ||
'''# manage ssh key for ssh-agent''' | |||
ssh-add -d ~/.ssh/gtw.vpc.chorke.org_rsa | |||
ssh-add -l | |||
ssh-add -D | |||
ssh-add -L | |||
|valign="top"| | |valign="top"| | ||
'''Too many authentication failures''' | |||
ssh-add -l | |||
ssh-add -D | |||
ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa | |||
ssh api.vpc.chorke.org | |||
ssh app.vpc.chorke.org | |||
|- | |||
|colspan="3"| | |||
---- | |||
|- | |||
|valign="top" colspan="2"| | |||
'''too many authentication failures issue''' | |||
ssh -o PreferredAuthentications=password ${USER}@academia.local | |||
ssh -o IdentityAgent=none ${USER}@academia.local | |||
ssh -o IdentitiesOnly=yes ${USER}@academia.local | |||
|valign="top"| | |valign="top"| | ||
Host *.local | |||
IdentityAgent none | |||
IdentitiesOnly yes | |||
PreferredAuthentications password | |||
|} | |} | ||
Line 136: | Line 291: | ||
| valign="top" | | | valign="top" | | ||
* [https://www.ssh.com/academy/ssh/tunneling-example SSH Tunneling: Examples, Command & Server Config] | |||
* [https://unix.stackexchange.com/questions/292038/ Add Multiple Local Forward to <code>~/.ssh/config</code>] | |||
* [https://stackoverflow.com/questions/58270768/ Add Remote Forward to <code>~/.ssh/config</code>] | |||
* [https://serverfault.com/questions/1052158/ Add Local Forward to <code>~/.ssh/config</code>] | |||
* [https://unix.stackexchange.com/questions/58969/ Keys added to ssh-agent with ssh-add] | * [https://unix.stackexchange.com/questions/58969/ Keys added to ssh-agent with ssh-add] | ||
* [https://www.digitalocean.com/community/tutorials/using-grep-regular-expressions-to-search-for-text-patterns-in-linux Grep & Regular Expressions to Search] | |||
* [https://unix.stackexchange.com/questions/518568/ Restart ssh-agent Without Relogin] | * [https://unix.stackexchange.com/questions/518568/ Restart ssh-agent Without Relogin] | ||
* [[Sed Replace A Multi-Line String]] | * [[Sed Replace A Multi-Line String]] | ||
* [[AWS CLI|AWS » CLI]] | |||
* [[AWS]] | |||
| valign="top" | | | valign="top" | | ||
* [https://serverfault.com/questions/1159599/ SSH server » Ubuntu » Change the default port] | |||
* [https://stackoverflow.com/questions/4549945/ <code>rsync</code> » Specify a different ssh port] | |||
* [[OpenSSL]] | |||
* [[CIDR]] | |||
* [[UFW]] | |||
|- | |- |
Latest revision as of 11:52, 1 November 2024
Tunnel
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# bastion ssh tunnel
Host gtw.vpc.chorke.org
HostName gtw.vpc.chorke.org
PreferredAuthentications publickey
IdentityFile ~/.ssh/gtw.vpc.chorke.org_rsa
User deploy
EOF
fi
Tunneling
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'api.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# api gateway service
Host api.vpc.chorke.org
HostName api.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/api.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
LocalForward 1983 localhost:1983
LocalForward 2013 localhost:2013
LocalForward 2015 localhost:2015
EOF
fi
|
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'app.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# web portal service
Host app.vpc.chorke.org
HostName app.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/app.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
LocalForward 1983 localhost:1983
LocalForward 2013 localhost:2013
LocalForward 2015 localhost:2015
EOF
fi
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'rds.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# psql database service
Host rds.vpc.chorke.org
HostName rds.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/rds.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
EOF
fi
|
# add ssh private key to the ssh-agent
ssh-add ~/.ssh/app.vpc.chorke.org_rsa
ssh-add ~/.ssh/api.vpc.chorke.org_rsa
ssh-add ~/.ssh/rds.vpc.chorke.org_rsa
# forward ssh key to bastion
ssh -A app.vpc.chorke.org
ssh -A api.vpc.chorke.org
ssh -A rds.vpc.chorke.org
# manage ssh key from ssh-agent
ssh-add -d ~/.ssh/app.vpc.chorke.org_rsa
ssh-add -l
ssh-add -L
ssh-aad -D
|
Example
ssh-copy-id -i\
${HOME}/.ssh/vpn.shahed.biz_rsa.pub [email protected]
|
ssh-copy-id -i\
${HOME}/.ssh/git.shahed.biz_rsa.pub [email protected]
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'vpn.shahed.biz' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# bastion proxy
Host vpn.shahed.biz
HostName vpn.shahed.biz
IdentityFile ~/.ssh/vpn.shahed.biz_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
IdentitiesOnly yes
User bastion
EOF
fi
|
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'git.shahed.biz' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# gitlab jenkins
Host git.shahed.biz
HostName git.shahed.biz
ProxyCommand ssh -qW%h:%p vpn.shahed.biz
IdentityFile ~/.ssh/git.shahed.biz_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
IdentitiesOnly yes
User jenkins
EOF
fi
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'Host \*' ${HOME}/.ssh/config)" == 0 ]];then
cat <<EOF | tee -a ${HOME}/.ssh/config >/dev/null
# for all host
Host *
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
ServerAliveInterval 60
ServerAliveCountMax 20
IdentitiesOnly yes
AddressFamily inet
Compression yes
LogLevel INFO
Protocol 2
EOF
fi
|
Knowledge
sudo systemctl restart sshd sudo systemctl status ssh |
grep -c '^#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)$' ./sshd_config
grep -c '^#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)$' ./sshd_config
| |
| ||
# regexp simple group & escaping
if [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
[[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)' /etc/ssh/sshd_config)" == 1 ]];then
sed -z 's/#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi
| ||
| ||
# regexp complex group & escaping
if [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
[[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)' /etc/ssh/sshd_config)" == 1 ]];then
sed -z 's/#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi
| ||
| ||
# add ssh private key to agent ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa # forwarded private key ssh -A api.vpc.chorke.org ssh -A app.vpc.chorke.org |
# manage ssh key for ssh-agent ssh-add -d ~/.ssh/gtw.vpc.chorke.org_rsa ssh-add -l ssh-add -D ssh-add -L |
Too many authentication failures ssh-add -l ssh-add -D ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa ssh api.vpc.chorke.org ssh app.vpc.chorke.org |
| ||
too many authentication failures issue ssh -o PreferredAuthentications=password ${USER}@academia.local ssh -o IdentityAgent=none ${USER}@academia.local ssh -o IdentitiesOnly=yes ${USER}@academia.local |
Host *.local IdentityAgent none IdentitiesOnly yes PreferredAuthentications password |