1

I am having a server in a corporate data centre who's sys admin is me. There are some virtual machines running on it.The main server is accessible from internet via SSH. There are some people who within the lan access the virtual machines whose IPs on LAN are 

192.168.1.1  
192.168.1.2  
192.168.1.3
192.168.1.4

the main machine which is a bastion host for internet has IP 192.168.1.50 and only I have access to it. I have to give people on internet the access to the internal machines whose IP I mentioned above.I know tunnel is a good way but the people are fairly non technical and do not want to get into a tunnel etc jargons.So I came across a solution as explained on this link On the gateway machine which is 192.168.1.50 in the .ssh/config file I add following

Host securehost.example.com     
ProxyCommand ssh user@bastion.example.com nc %h %p

Now my question is do I need to create separate accounts on the bastion host (gateway) to those users who can SSH to the inside machines and in each of the users .ssh/config I need to make the above entry or where exactly I put the .ssh/config on the gateway.

Also ssh user1@gateway.com

where user1 exists only on inside machine 192.168.1.1 and not on the gateway is that right syntax? Because the internal machines are accessilbe to outside world as 

site1.example.com
site2.example.com
site3.example.com
site4.example.com

But SSH is only for example.com and only one user.So How should I go for .ssh/config
1) What is the correct syntax for ProxyCommand on gateway's .ssh/config should I use
ProxyCommand ssh user1@inside.machine nc %h %p or I should use 

ProxyCommand    ssh user1@gateway.com in nc %h %p

2) Should I create new user accounts on gateway or adding them in AllowedUsers on ssh_config is sufficient?

Registered User
  • 1,463
  • 5
  • 18
  • 37

1 Answers1

2

The ProxyCommand directive has to be specified on the client machine, not the gateway machine, which is going to make it more complicated for your users. Basically from the client side you are saying ssh userX@inside.machine using user@bastion.example.com as a proxy.

Each user will need to have an ssh account, but it can be a shared account as the "proxied username" is still specified on the client side.

Shaun Dewberry
  • 467
  • 2
  • 9
  • thanks for clearing this out.Suppose I do this setup on some of the client machines then the username user@bastion.example.com would it be common for different people on internet who will have to login to bastion host and then userX@inside.machine will be different or same? I mean can I use one user name which will be common for all the clients who is allowed at the gateway then for each client machine who will be different users in their .ssh/config they need to put their username on internal machine ProxyCommand ssh user1@inside.machine nc %h %p – Registered User Mar 07 '11 at 10:56
  • Yes you can use a single account on the bastion host for all the clients (perhaps using a ssh public key exchange) and then use different user accounts on the inside machine, if you want. The users will actually never see that they are logging into the bastion host at all. i.e. With the ProxyCommand specified for inside.machine in .ssh/config on the client side, every time the user does a "ssh userX@inside.machine", the ProxyCommand will automatically connect to bastion first and then use nc to proxy the connection through to inside.machine. – Shaun Dewberry Mar 08 '11 at 09:32
  • thanks for your help since my server right now is in migration so I needed the suggestion as you suggested. – Registered User Mar 08 '11 at 17:22