Re: Gateway host configuration

---

• From: Darren Tucker <dtucker@xxxxxxxxxxxxxxxx>
• Date: Fri, 7 Sep 2007 18:02:21 +1000

---

I am assuming OpenSSH in the following.

On 2007-09-06, craner@xxxxxxxxxxxxxxxx <craner@xxxxxxxxxxxxxxxx> wrote:

I would like to give a limited set of users ssh access to specific
internal hosts, from arbitrary external systems, via a gateway host.
A setup I came up with is:

* On GW host, have one (or more) gw accounts with a password.
* For every ssh user, in GW account on GW host:
** create a passphrase-protected key
** On each host they need to connect to:
*** copy key to their authorized_keys file

Each user should only be able to ssh into the GW host , then ssh to
one of their allowed hosts by specifying their keyfile.

Questions:
- Can I forbid password authentication from the GW host to the
internal hosts, but still allow it between two internal hosts? It
doesn't seem that PasswordAuthentication can appear in a Match
section.

It can but it was only added in version 4.6. Which version are you
using?

- Can I forbid port forwarding to/from the GW, or at least require
use of a key rather than the password?

Set "AllowTcpForwarding no" in the gateway's sshd_config.

- Is this whole approach pointless, and should I be doing something
completely different? The need is for a reasonably simple procedure
with as little as possible required on the remote end; it's acceptable
to need setup and preparation on the GW and/or internal systems.

If your gateway host supports it you could also use user-based packet
filter rules to restrict where you users can connect to, for example
"user <foo>" rules in PF or --uid-owner rules in iptables.

This would control all outgoing (and incoming) connections not just
those made by ssh.

Thanks for any suggestions.

You're welcome.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.

---

• References:
  • Gateway host configuration
    • From: craner

• Prev by Date: Re: Port forwarding on established connection
• Next by Date: Re: Using putty to debug ssh through a firewall
• Previous by thread: Gateway host configuration
• Index(es):
  • Date
  • Thread

---

Relevant Pages ssh StrictHostKeyChecking=no refuse connection when key changed ... still refuses ssh connection when host ID has changed. ... I've a setup in which host ids change frequently. ... Anton Shterenlikht ... (freebsd-questions) ssh hosts setup - ip_forwarding/iptables ... I'm getting ready to setup an ssh ... host for secure access to a company network. ... (comp.security.ssh) Gateway host configuration ... I would like to give a limited set of users ssh access to specific ... internal hosts, from arbitrary external systems, via a gateway host. ... On GW host, have one gw accounts with a password. ... to need setup and preparation on the GW and/or internal systems. ... (comp.security.ssh) RE: sshd / ssh setup ... We have an Remote FreeBSD system which is located some where on the ... This method gives the maximum protection possible utilizing ssh. ... Host setup steps. ... Reboot your system to activate sshd and login as root. ... (freebsd-questions) SSH filter transer, was Re: Soft Update - directory/file listing ... But SSH file transfer is painfully slow all the time. ... ## SSH 3.2 Server Configuration File ... # Note that forwardings using the name of this host will be allowed (if ... (freebsd-performance)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2007-09