2

I'm trying to setup a SSH Jumpbox. Users logged on the Jumpbox needs to be able to authorize to another SSH servers depending on their group.

(UserA is on group Project1, UserB is on group Project2, UserA should be able to ssh into project1.com, but not UserB)

Is there any way to implement this on the Jumpbox level?

yigit
  • 133
  • 1
  • 5
  • Are you asking how to ensure that UserA can ssh into project1.com, or how to prevent userB from doing so? They are two different questions. – MadHatter Jul 23 '12 at 12:35
  • I would like to prevent any users except those belonging to the project1 group connecting to project1.com. Actually some kind of having a private key for the group on the Jumpbox and adding corresponding public key to the project1.com would be perfect for me. – yigit Jul 23 '12 at 12:44

1 Answers1

7

Assuming the jumpbox is a linux box, iptables can usefully be used on the OUTPUT chain to restrict which group members can connect to which servers. Something like

iptables -A OUTPUT --gid-owner project1 -p tcp --dport 22 -d ip.of.project1.com -j ACCEPT
iptables -A OUTPUT --gid-owner project1 -j REJECT
iptables -A OUTPUT --gid-owner project2 -p tcp --dport 22 -d ip.of.project2.com -j ACCEPT
iptables -A OUTPUT --gid-owner project2 -j REJECT

which has the handy side-effect of restricting the members of group project1 from doing anything except ssh'ing to project1.com, and similarly for project2 and project2.com. You may also need some corresponding rules in the INPUT chain, if you restrict INPUT traffic.

MadHatter
  • 79,770
  • 20
  • 184
  • 232