Bastion SSH Tunneling: Difference between revisions
Jump to navigation
Jump to search
Line 257: | Line 257: | ||
ssh api.vpc.chorke.org | ssh api.vpc.chorke.org | ||
ssh app.vpc.chorke.org | ssh app.vpc.chorke.org | ||
|- | |||
|colspan="3"| | |||
---- | |||
|- | |||
|valign="top" colspan="2"| | |||
ssh -o PreferredAuthentications=password [email protected] | |||
ssh -o IdentityAgent=none [email protected] | |||
ssh -o IdentitiesOnly=yes [email protected] | |||
|valign="top"| | |||
|valign="top"| | |||
|} | |} |
Revision as of 04:21, 25 July 2024
Tunnel
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# bastion ssh tunnel
Host gtw.vpc.chorke.org
HostName gtw.vpc.chorke.org
PreferredAuthentications publickey
IdentityFile ~/.ssh/gtw.vpc.chorke.org_rsa
User deploy
EOF
fi
Tunneling
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'api.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# api gateway service
Host api.vpc.chorke.org
HostName api.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/api.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
LocalForward 1983 localhost:1983
LocalForward 2013 localhost:2013
LocalForward 2015 localhost:2015
EOF
fi
|
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'app.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# web portal service
Host app.vpc.chorke.org
HostName app.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/app.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
LocalForward 1983 localhost:1983
LocalForward 2013 localhost:2013
LocalForward 2015 localhost:2015
EOF
fi
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'rds.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# psql database service
Host rds.vpc.chorke.org
HostName rds.vpc.chorke.org
ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
IdentityFile ~/.ssh/rds.vpc.chorke.org_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
User deploy
EOF
fi
|
# add ssh private key to the ssh-agent
ssh-add ~/.ssh/app.vpc.chorke.org_rsa
ssh-add ~/.ssh/api.vpc.chorke.org_rsa
ssh-add ~/.ssh/rds.vpc.chorke.org_rsa
# forward ssh key to bastion
ssh -A app.vpc.chorke.org
ssh -A api.vpc.chorke.org
ssh -A rds.vpc.chorke.org
# manage ssh key from ssh-agent
ssh-add -d ~/.ssh/app.vpc.chorke.org_rsa
ssh-add -l
ssh-add -L
ssh-aad -D
|
Example
ssh-copy-id -i\
${HOME}/.ssh/vpn.shahed.biz_rsa.pub [email protected]
|
ssh-copy-id -i\
${HOME}/.ssh/git.shahed.biz_rsa.pub [email protected]
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'vpn.shahed.biz' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# bastion proxy
Host vpn.shahed.biz
HostName vpn.shahed.biz
IdentityFile ~/.ssh/vpn.shahed.biz_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
IdentitiesOnly yes
User bastion
EOF
fi
|
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'git.shahed.biz' ${HOME}/.ssh/config)" == 0 ]];then
tee -a ${HOME}/.ssh/config >/dev/null <<EOF
# gitlab jenkins
Host git.shahed.biz
HostName git.shahed.biz
ProxyCommand ssh -qW%h:%p vpn.shahed.biz
IdentityFile ~/.ssh/git.shahed.biz_rsa
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
IdentitiesOnly yes
User jenkins
EOF
fi
|
| |
if [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
[[ "$(grep -c 'Host \*' ${HOME}/.ssh/config)" == 0 ]];then
cat <<EOF | tee -a ${HOME}/.ssh/config >/dev/null
# for all host
Host *
PreferredAuthentications publickey
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
ServerAliveInterval 60
ServerAliveCountMax 20
IdentitiesOnly yes
AddressFamily inet
Compression yes
LogLevel INFO
Protocol 2
EOF
fi
|
Knowledge
sudo systemctl restart sshd sudo systemctl status ssh |
grep -c '^#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)$' ./sshd_config
grep -c '^#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)$' ./sshd_config
| ||
| |||
# regexp simple group & escaping
if [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
[[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)' /etc/ssh/sshd_config)" == 1 ]];then
sed -z 's/#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi
| |||
| |||
# regexp complex group & escaping
if [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
[[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)' /etc/ssh/sshd_config)" == 1 ]];then
sed -z 's/#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi
| |||
| |||
# add ssh private key to agent ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa # forwarded private key ssh -A api.vpc.chorke.org ssh -A app.vpc.chorke.org |
# manage ssh key for ssh-agent ssh-add -d ~/.ssh/gtw.vpc.chorke.org_rsa ssh-add -l ssh-add -D ssh-add -L |
Too many authentication failures ssh-add -l ssh-add -D ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa ssh api.vpc.chorke.org ssh app.vpc.chorke.org | |
| |||
ssh -o PreferredAuthentications=password [email protected] ssh -o IdentityAgent=none [email protected] ssh -o IdentitiesOnly=yes [email protected] |