Bastion SSH Tunneling: Difference between revisions
Jump to navigation
Jump to search
Line 263: | Line 263: | ||
|- | |- | ||
|valign="top" colspan="2"| | |valign="top" colspan="2"| | ||
'''too many authentication failures issue''' | |||
ssh -o PreferredAuthentications=password ${USER}@academia.local | ssh -o PreferredAuthentications=password ${USER}@academia.local | ||
ssh -o IdentityAgent=none ${USER}@academia.local | ssh -o IdentityAgent=none ${USER}@academia.local | ||
Line 271: | Line 272: | ||
IdentityAgent none | IdentityAgent none | ||
IdentitiesOnly yes | IdentitiesOnly yes | ||
PreferredAuthentications password | |||
|} | |} |
Revision as of 05:02, 25 July 2024
Tunnel
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# bastion ssh tunnel
Host gtw.vpc.chorke.org
HostName gtw.vpc.chorke.org
PreferredAuthentications publickey
IdentityFile ~/.ssh/gtw.vpc.chorke.org_rsa
User deploy
EOF
fi
Tunneling
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'api.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# api gateway service
Host api.vpc.chorke.org
HostName api.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/api.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
LocalForward 1983 localhost:1983
LocalForward 2013 localhost:2013
LocalForward 2015 localhost:2015
EOF
fi
|
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'app.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# web portal service
Host app.vpc.chorke.org
HostName app.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/app.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
LocalForward 1983 localhost:1983
LocalForward 2013 localhost:2013
LocalForward 2015 localhost:2015
EOF
fi
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'rds.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# psql database service
Host rds.vpc.chorke.org
HostName rds.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/rds.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
EOF
fi
|
# add ssh private key to the ssh-agent
ssh-add ~/.ssh/app.vpc.chorke.org_rsa
ssh-add ~/.ssh/api.vpc.chorke.org_rsa
ssh-add ~/.ssh/rds.vpc.chorke.org_rsa
# forward ssh key to bastion
ssh -A app.vpc.chorke.org
ssh -A api.vpc.chorke.org
ssh -A rds.vpc.chorke.org
# manage ssh key from ssh-agent
ssh-add -d ~/.ssh/app.vpc.chorke.org_rsa
ssh-add -l
ssh-add -L
ssh-aad -D
|
Example
ssh-copy-id -i\
${HOME}/.ssh/vpn.shahed.biz_rsa.pub [email protected]
|
ssh-copy-id -i\
${HOME}/.ssh/git.shahed.biz_rsa.pub [email protected]
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'vpn.shahed.biz' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# bastion proxy
Host vpn.shahed.biz
HostName vpn.shahed.biz
IdentityFile ~/.ssh/vpn.shahed.biz_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
IdentitiesOnly yes
User bastion
EOF
fi
|
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'git.shahed.biz' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# gitlab jenkins
Host git.shahed.biz
HostName git.shahed.biz
ProxyCommand ssh -qW%h:%p vpn.shahed.biz
IdentityFile ~/.ssh/git.shahed.biz_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
IdentitiesOnly yes
User jenkins
EOF
fi
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'Host \*' ${HOME}/.ssh/config)" == 0 ]];then
cat <<EOF | tee -a ${HOME}/.ssh/config >/dev/null
# for all host
Host *
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
ServerAliveInterval 60
ServerAliveCountMax 20
IdentitiesOnly yes
AddressFamily inet
Compression yes
LogLevel INFO
Protocol 2
EOF
fi
|
Knowledge
sudo systemctl restart sshd sudo systemctl status ssh |
grep -c '^#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)$' ./sshd_config
grep -c '^#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)$' ./sshd_config
| |
| ||
# regexp simple group & escaping
if [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
[[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)' /etc/ssh/sshd_config)" == 1 ]];then
sed -z 's/#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi
| ||
| ||
# regexp complex group & escaping
if [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
[[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)' /etc/ssh/sshd_config)" == 1 ]];then
sed -z 's/#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi
| ||
| ||
# add ssh private key to agent ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa # forwarded private key ssh -A api.vpc.chorke.org ssh -A app.vpc.chorke.org |
# manage ssh key for ssh-agent ssh-add -d ~/.ssh/gtw.vpc.chorke.org_rsa ssh-add -l ssh-add -D ssh-add -L |
Too many authentication failures ssh-add -l ssh-add -D ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa ssh api.vpc.chorke.org ssh app.vpc.chorke.org |
| ||
too many authentication failures issue ssh -o PreferredAuthentications=password ${USER}@academia.local ssh -o IdentityAgent=none ${USER}@academia.local ssh -o IdentitiesOnly=yes ${USER}@academia.local |
Host *.local IdentityAgent none IdentitiesOnly yes PreferredAuthentications password |