Re: Multi Hopping by sshserver proxy with different keys



Hi fnx,
You're right but I'd like to have it without changing any habits for the
users.
In a way, I'd like to have the host field and the command field
exchanged - or having a remote command proxy option.
I think I'll have to change putty's code for that. Why not.
Best regards.

-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Phoenix Rider <fnx@xxxxxxxxxxxxxxxxxx>
Pour : Nicolas Ferragu <nicolas.ferragu@xxxxxxxxxx>
Date : 11/10/2010 20:14

You could give this a shot:

Putty has the ability to execute a command that you specify on connect.

So, set the ssh remote command to:

ssh innerhostnameoripaddress

And save your profile, assuming the bastion ip/hostname is set in the
putty host field. This will start the ssh session and execute the ssh
command. Assuming you've got your keys set up, you should either
achieve a shell or be prompted for your key passphrase.

This is just an idea, i'm sure it can be improved or modified, but I
hope it helps.



On Mon, Sep 27, 2010 at 4:22 AM, Nicolas Ferragu
<nicolas.ferragu@xxxxxxxxxx> wrote:
Igor,

My ssh-agent works well and I haven't any problem with it : I'm using
keychain (persistent ssh-agent across connections; from debian
packages), filling the .ssh/environment file to get env setted correctly
for that.

Anyway, the trick doesn't work correctly since the terminal mode is raw
: I can succeed in logging the way I want but can't do any vi or any tab
command completion...

Concerning the security level you've evaluated, I do agree with the fact
that one's could read bastion's memory to get access to targets' keys.
But :
1 - I made those targets keys usable only from the bastion. If the keys
where on the local box, this kind of filtering couldn't be done as far
as my users should be able to connect from everywhere - modulus ip
spoofing of course.

2 - With all my targets keys on the bastion, I can administrate them in
a central way - which can't be done in the
distributed-to-the-local-boxes way. In particular, it's far more easy to
give a temporary access to anyone to any target in the bastion's holding
way.

3 - Saying the keys can be read from the bastion's memory isn't worse
than distributing them across local boxes which are secureless than the
bastion - since they are some local boxes shared by multiple people...
Furthermore, the keys can regularly be changed to clean those kind of
weakness.

Thanks for sharing,
NF


-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Igor Bukanov <igor@xxxxxxxx>
Pour : Nicolas Ferragu <nicolas.ferragu@xxxxxxxxxx>
Copie à : secureshell@xxxxxxxxxxxxxxxxx
Date : 25/09/2010 12:34

On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu@xxxxxxxxxx> wrote:
Putty conf :
connection type : raw
local proxy command : plink.exe -t %user@%proxyhost -agent "ssh
-p %port -l role %host"\n

I assume "ssh -p %port -l role %host" here is a command executed on
the bastion to connect to the target. Currently it does not work as
the target asks for the key known only for the bastion.

You mentioned that "ssh-agent running well with the target.". If that
means that bastion has ssh-agent running with a key for the target
then in the above command you just need to tell the ssh where to look
for ssh agent socket. You can do that with env command that sets
SSH_AUTH_SOCK like in:

plink.exe -t %user@%proxyhost -agent "env
SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host"

The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For
maximum convenience you may run the ssh-agent on bastion with -d
option to specify the exact location of the socket like in:

ssh-agent -b "$HOME/.ssh/agent-socket"

and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket


On the other hand the setup like that implies that one can always
connect to the target if he has the key to bastion. Moreover, anybody
who can login to bastion under your user name can also recover the
private key for the target via inspecting ssh-agent memory. So the
setup above is less secure if you would simply have the key to the
target on your local box properly password-protected and loaded into
putty agent.

Regards, Igor



Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.



--

Groupe La Poste

Nicolas Ferragu

Architecte SI
Direction de la Production, Service A2I

*CSP* - CENTRE DE SERVICES PARTAGES
DSICORP - DIRECTION DES SYSTEMES
D'INFORMATION CORPORATE

19 BD GASTON DOUMERGUE
44262 NANTES CEDEX 2
Tél. : 02 51 84 49 43
nicolas.ferragu@xxxxxxxxxx <mailto:nicolas.ferragu@xxxxxxxxxx>
www.laposte.fr <http://www.laposte.fr>
Adresse visiteur : Immeuble Atlantica


Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.



Relevant Pages

  • Re: Multi Hopping by sshserver proxy with different keys
    ... My ssh-agent works well and I haven't any problem with it: ... that one's could read bastion's memory to get access to targets' keys. ... - I made those targets keys usable only from the bastion. ... the bastion to connect to the target. ...
    (SSH)
  • bringing ee up to date
    ... -is a simple screen oriented text editor. ... +.\" To format this reference page, use the command: ... -Turn off display of information window at top of terminal. ... -.Ss "Control keys" ...
    (freebsd-hackers)
  • Re: Great SWT Program
    ... the keys standard with those keyboards are; ... I've had occasion to use xfig to make diagrams for inclusion in LaTeX ... Yours I assume includes a command name at least as long as ...
    (comp.lang.java.programmer)
  • Re: When will MS fix the WinCE USB Mass Storage Problems?
    ... In SCSIGetSenseData under SENSE_UNIT_ATTENTION, some keys reported ... I think the spec does not say that this is a valid response to this command, ... In the mean time I got about 50% of my non-working USB keys working. ... Attachdevice fails, the sequence of state-transitions there, fails. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: -Crawl- (now with YAPS) chardump - Scalez the Draconian Monk - Frowning at the s
    ... Luckily I wasn't playing a very blinky game. ... I have completely removed the roguelike keys from my ... mean the current target, or yourself if there is no current target, or ... That would have been an ideal outlet for your runaway experience at ...
    (rec.games.roguelike.misc)