1

One of our ssh servers acts as jumphost. Users are supposed to proceed only onto certain target hosts. This could be done with iptables, but for the moment this is not the desired solution.

I checked man ssh_config to see if this scenario could be configured within system-wide ssh_config, but found no hint.

Any ideas aside iptables to achieve this?

MarkHelms
  • 181
  • 5
  • 16

6 Answers6

1

Add a valid route to your targets and a more generic route to null. Then, only the defined routes to your targets will be available for the users. The problem is this is available for all the users

Dom
  • 6,743
  • 1
  • 20
  • 24
  • Interesting approach. Would this not affect ALL traffic, e.g. outgoing requests of an ntp client? – MarkHelms Sep 11 '17 at 08:56
  • ntp client is not routed to your internal network, right ? So it will take the default route. – Dom Sep 11 '17 at 13:08
1

You might use something like this

#! /bin/sh

MSG='********************************
1 = host1
2 = anotherhost
3 = host3

0 = exit
********************************'

host=none

while test none = "$host"
do
  echo "$MSG"
  echo -n 'your choice: '
  read choice
  case "$choice" in
  1) host=host1.domain.com;;
  2) host=anotherhost.xy.de;;
  3) host=just.go.here;;
  0) exit;;
  esac
done

ssh $host

as the login shell of your ssh users on the jumphost. If you save it as /usr/bin/ssh-choice, don't forget to add /usr/bin/ssh-choice to /etc/shells.

TomTomTom

TomTomTom
  • 611
  • 3
  • 6
  • Not a very useful setup. Jump hosts are mostly used with ProxyCommand or ProxyJump directives, so an interactive shell session is extremely unlikely to be useful. – Tobias Apr 29 '20 at 19:40
1

I am not sure about the setup, but maybe disabling shell login on the jump host and allowing port forwarding to specific hosts only for specific users and then exercising -J option (ProxyJump) of openssh could be a solution here? The Match directive of the sshd_config could be of help here.

Tomek
  • 3,390
  • 1
  • 16
  • 10
  • could probably be a solution, but not for my setup, cause users must be able to do some actions on the jumphosts, e.g. use screen et.al. – MarkHelms Oct 27 '17 at 12:00
1

Responding to an earlier comment:

If you need shell access then you likely need immutable and empty .ssh/config in users' home directories, all of the allowed hosts listed in /etc/ssh/ssh_config and catch all Host directive which redirects to an always failing ProxyCommand (which may also print coaching message to stderr, so the user can see it).

Something along the lines:

Host host1 host1.example.com
    <whatever directives may be needed here if any>

Host host2 host2.example.net
    <whatever directives may be needed here if any>

Host *
    ProxyCommand /bin/false
Tomek
  • 3,390
  • 1
  • 16
  • 10
  • valuable option. Though not applicable for our situation (users will be granted some freedom on the jumphosts themselves). Thanks. – MarkHelms Oct 27 '17 at 16:34
  • It is hard to follow running target. Apparently you didn't provide enough information to help you out. – Tomek Oct 27 '17 at 20:29
0

Remove everything but the jumphost from the routing table of the host or put the firewall that prevents connections somewhere other than the host itself.

ptman
  • 28,394
  • 2
  • 30
  • 45
0

You could hosts.allow and/or hosts.deny on the target machines.

Spacerat
  • 34
  • 2
  • 1
    Sorry, but this does not meet the question: It is about the allowed/disallowed **outgoing** direction, not what is allowed as ingoing ssh on the targets. – MarkHelms Sep 11 '17 at 12:46