Bastion SSH Tunneling

From Chorke Wiki
Jump to navigation Jump to search

Tunnel

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# bastion ssh tunnel
Host gtw.vpc.chorke.org
     HostName gtw.vpc.chorke.org
     PreferredAuthentications publickey
     IdentityFile ~/.ssh/gtw.vpc.chorke.org_rsa
     User deploy
EOF
fi

Tunneling

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'api.vpc.chorke.org'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# api gateway service
Host api.vpc.chorke.org
     HostName api.vpc.chorke.org
     ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
     IdentityFile ~/.ssh/api.vpc.chorke.org_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     User deploy
     LocalForward 1983 localhost:1983
     LocalForward 2013 localhost:2013
     LocalForward 2015 localhost:2015
EOF
fi
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'app.vpc.chorke.org'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# web portal service
Host app.vpc.chorke.org
     HostName app.vpc.chorke.org
     ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
     IdentityFile ~/.ssh/app.vpc.chorke.org_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     User deploy
     LocalForward 1983 localhost:1983
     LocalForward 2013 localhost:2013
     LocalForward 2015 localhost:2015
EOF
fi

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'rds.vpc.chorke.org'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# psql database service
Host rds.vpc.chorke.org
     HostName rds.vpc.chorke.org
     ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
     IdentityFile ~/.ssh/rds.vpc.chorke.org_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     User deploy
EOF
fi
# add ssh private key to the ssh-agent
ssh-add ~/.ssh/app.vpc.chorke.org_rsa
ssh-add ~/.ssh/api.vpc.chorke.org_rsa
ssh-add ~/.ssh/rds.vpc.chorke.org_rsa

# forward ssh key to bastion
ssh -A app.vpc.chorke.org
ssh -A api.vpc.chorke.org
ssh -A rds.vpc.chorke.org 

# manage ssh key from ssh-agent
ssh-add -d ~/.ssh/app.vpc.chorke.org_rsa
ssh-add -l
ssh-add -L
ssh-aad -D

Example

 ssh-copy-id -i\
 ${HOME}/.ssh/vpn.shahed.biz_rsa.pub [email protected]
 ssh-copy-id -i\
 ${HOME}/.ssh/git.shahed.biz_rsa.pub [email protected]

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'vpn.shahed.biz'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# bastion proxy
Host vpn.shahed.biz
     HostName vpn.shahed.biz
     IdentityFile ~/.ssh/vpn.shahed.biz_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     IdentitiesOnly yes
     User bastion

EOF
fi
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'git.shahed.biz'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# gitlab jenkins
Host git.shahed.biz
     HostName git.shahed.biz
     ProxyCommand ssh -qW%h:%p vpn.shahed.biz
     IdentityFile ~/.ssh/git.shahed.biz_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     IdentitiesOnly yes
     User jenkins
EOF
fi

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'Host \*'  ${HOME}/.ssh/config)" == 0 ]];then
        cat <<EOF | tee -a ${HOME}/.ssh/config >/dev/null

# for all host
Host *
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     ServerAliveInterval 60
     ServerAliveCountMax 20
     IdentitiesOnly yes
     AddressFamily inet
     Compression yes
     LogLevel INFO
     Protocol 2
EOF
fi

Knowledge

sudo systemctl restart sshd
sudo systemctl status  ssh
grep -c '^#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)$' ./sshd_config
grep -c '^#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)$' ./sshd_config

# regexp simple group & escaping
if  [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
    [[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)' /etc/ssh/sshd_config)" == 1 ]];then
        sed -z  's/#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi

# regexp complex group & escaping
if  [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
    [[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)' /etc/ssh/sshd_config)" == 1 ]];then
        sed  -z 's/#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi

# add ssh private key to agent
ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa

# forwarded private key
ssh -A api.vpc.chorke.org
ssh -A app.vpc.chorke.org
# manage ssh key for ssh-agent
ssh-add -d ~/.ssh/gtw.vpc.chorke.org_rsa

ssh-add -l
ssh-add -D
ssh-add -L
Too many authentication failures
ssh-add -l
ssh-add -D
ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa
ssh api.vpc.chorke.org
ssh app.vpc.chorke.org

ssh -o PreferredAuthentications=password ${USER}@gtw.vpc.chorke.org
ssh -o IdentityAgent=none ${USER}@gtw.vpc.chorke.org
ssh -o IdentitiesOnly=yes ${USER}@gtw.vpc.chorke.org

References