0

I am using my bastion host to connect to internal servers as follows

ssh -J user@BastionHost user@InternalServer

Is it required to create user on Bastion host to jump to internal servers ? Or can we just use this server to Jump to internal servers ?

Joel Divekar
  • 53
  • 5

1 Answers1

0

The purpose of the bastion host is, among others, to allow only authenticated users to access to your internal servers.

How your bastion does that authentication is something you can decide on.

Creating a user account there for each user that is allowed remote ssh access is an easy way to set up such authentication.

That comes with a couple of advantages (quite robust, easy to understand etc) but depending on the number of joiners and leavers maybe laborious to maintain and scale. And when you only provide ssh access people will need to tunnel other protocols (for instance to manage your databases)

Running a VPN server on your bastion host allows for more flexibility. A VPN also has the advantage that VPN users won’t be able to access the bastion server itself, it only provides access to the internal servers.

Bob
  • 5,805
  • 7
  • 25
  • Noted @HermanB. Instead of VPN, can I disable shell access to users on Bastion host and they can only use it as a proxy to reach internal servers. What is the best practice in this case. – Joel Divekar Dec 14 '20 at 09:08
  • Best practice is also only an opinion. https://etherarp.net/ssh-jump-hosts/index.html Has a couple of good suggestions (also for the bastion) - only you can decide if you want to add multi-factor auth on the bastion or only allow key based authentication – Bob Dec 14 '20 at 12:16