Re: [PLUG] ProxyJump Link

[Paul Heinlein]

On Fri, 4 Dec 2020, Paul Heinlein wrote:


On Thu, 3 Dec 2020, Paul Heinlein wrote:

Someone asked about the link to SSH ProxyJump documentation. There's more 
to be said than this, but here's the link:


https://www.madboa.com/blog/2017/11/02/ssh-proxyjump/

I'll post a follow-up with a real configuration that uses that sort of 
thing in the next day or two. tl;dr: search the Internet for "ssh 
controlmaster"


My full setup includes a highly customized ssh config file plus a shell 
script to control my SSH proxying.


[]

Whew! That was long. I'll probably use this post as the rough draft for an 
article I'll post to my blog later.


https://www.madboa.com/blog/2020/12/10/ssh-full-network/

It's my web site, but it's not commerical and uses no tracking 
cookies.


--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] ProxyJump Link

[Paul Heinlein]

On Fri, 4 Dec 2020, Rich Shepard wrote:


On Fri, 4 Dec 2020, Paul Heinlein wrote:


My work network is hundreds of hosts, so I don't try to list all the
unqualified names ... I'd be exhausted! :-)


Paul,

Isn't that job security?


Ha! Computers being hard is job security. Computers being numerous is 
just exhausting. :-)


--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] ProxyJump Link

[Rich Shepard]

On Fri, 4 Dec 2020, Paul Heinlein wrote:


My work network is hundreds of hosts, so I don't try to list all the
unqualified names ... I'd be exhausted! :-)


Paul,

Isn't that job security?

Stay well,

Rich
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] ProxyJump Link

[Paul Heinlein]

On Fri, 4 Dec 2020, David Barr wrote:

The next customization for your ssh config file ensures any SSH
session destined for *.my.com uses your control session.

# part of ~/.ssh/config
Host *.my.com
  CheckHostIP no
  ProxyCommand ssh mybastion -W %h:%p

The important thing to note here is that you'll need to use fully
quallified domain names (e.g., dev.my.com) rather than short versions
(dev) if you want to use the multiplex connection.


You can still use short names via the HostName directive.

Host dev
  HostName dev.my.com
  CheckHostIP no
  ProxyCommand ssh mybastion -W %h:%p


True! That might be handy if you have a small number of hosts with 
little turnover. My work network is hundreds of hosts, so I don't try 
to list all the unqualified names ... I'd be exhausted! :-)


--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] ProxyJump Link

[David Barr]

On 12/4/20 10:03, Paul Heinlein wrote:
> On Thu, 3 Dec 2020, Paul Heinlein wrote:
>
>> Someone asked about the link to SSH ProxyJump documentation. There's
>> more to be said than this, but here's the link:
>>
>> https://www.madboa.com/blog/2017/11/02/ssh-proxyjump/
>>
>> I'll post a follow-up with a real configuration that uses that sort
>> of thing in the next day or two. tl;dr: search the Internet for "ssh
>> controlmaster"
>  ...
>
> The next customization for your ssh config file ensures any SSH
> session destined for *.my.com uses your control session.
>
> # part of ~/.ssh/config
> Host *.my.com
>   CheckHostIP no
>   ProxyCommand ssh mybastion -W %h:%p
>
> The important thing to note here is that you'll need to use fully
> quallified domain names (e.g., dev.my.com) rather than short versions
> (dev) if you want to use the multiplex connection.

You can still use short names via the HostName directive.

Host dev
  HostName dev.my.com
  CheckHostIP no
  ProxyCommand ssh mybastion -W %h:%p


Cheers!
David

-- 
David/dafydd PGP Public Key



"If all the girls attending the Yale prom were laid end to end, I wouldn't be a 
bit surprised." --Dorothy Parker

___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] ProxyJump Link

[Paul Heinlein]

On Thu, 3 Dec 2020, Paul Heinlein wrote:

Someone asked about the link to SSH ProxyJump documentation. There's more to 
be said than this, but here's the link:


https://www.madboa.com/blog/2017/11/02/ssh-proxyjump/

I'll post a follow-up with a real configuration that uses that sort of thing 
in the next day or two. tl;dr: search the Internet for "ssh controlmaster"


My full setup includes a highly customized ssh config file plus a 
shell script to control my SSH proxying.


Let's assume a simple setup. Here are three views of it: logical, DNS, 
and IPv4.


* Internet <-> Bastion Host <-> Private Network
* Internet <-> login.my.com <-> *.my.com
* 0.0.0.0/0 <-> 12.12.12.12 + 10.10.10.1 <-> 10.10.10.0/24

The bastion host can also be called a jump host. It has two 
interfaces: public (12.12.12.12) and private (10.10.10.1).


The simple way to login to a *.my.com host (e.g., dev.my.com) is with 
a shell one-liner:


ssh -J login.my.com dev.my.com

But let's say that you login to a lot of my.com hosts and that you 
further have some internal-only web applications you want to access 
there.


(This work will be a lot easier if you have SSH keys working with 
ssh-agent, but it's not necessary.)


First, we need to setup your ~/.ssh/config file. We're going to assign 
an alias to your bastion host; the purpose of the alias will only 
become clear later. The Host stanza for your bastion host will also 
enable three optional SSH features: compression, agent forwarding, and 
SOCKS5 proxying. The SOCKS5 proxy will allow you to reach your 
internal-only web apps.


# part of ~/.ssh/config
Host mybastion
  Hostname login.my.com
  Compression yes
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlMaster auto
  ControlPersist 9H
  ForwardAgent yes
  DynamicForward 127.0.0.1:1080

The Control* directives allow you to run multiple SSH sessions over a 
single network connection. The ssh_config(5) man page has more 
information.


It's important to note that you should use the alias ("mybastion") 
rather than your hostname when setting up your master connection. 
We'll get to the ssh invocation in a bit.


The next customization for your ssh config file ensures any SSH 
session destined for *.my.com uses your control session.


# part of ~/.ssh/config
Host *.my.com
  CheckHostIP no
  ProxyCommand ssh mybastion -W %h:%p

The important thing to note here is that you'll need to use fully 
quallified domain names (e.g., dev.my.com) rather than short versions 
(dev) if you want to use the multiplex connection.


Now setup the session:

ssh -f -N mybastion 2>/dev/null

The "-f -N" options will invoke ssh without a remote command and put 
it into the background. Even though it's backgrounded, ssh will allow 
you to check its status:


ssh -O check mybastion

It will return something like "Master running" if successful.

Now you can do "ssh dev.my.com" in a terminal window and you will be 
able to directly into your dev machine. (I say "directly," but if you 
run "who" while logged it, your session will show up as coming from 
the bastion host.) Remember, you need to use the FQDN. If that's a 
hassle for you, try a shell alias to simplify things:


https://www.madboa.com/blog/2015/09/23/login-function/

Finally, if you want to be able to access your internal-only web apps 
using the SOCKS5 proxy, you'll probably want to dedicate a browser to 
that sort of work. I use Firefox for that:


1. Launch Firefox
2. Enter "about:config" into the URL box.
3. Ignore the "this might void your warranty" warning.
4. Change some settings:

network.proxy.socks: localhost
network.proxy.socks_port: 1080
network.proxy.socks_remote_dns: true
network.proxy.type: 1

The port number, 1080 in my example, is arbitrary, but it must match 
the only you specified in your DynamicForward directive (above).


I've found it necessary to start my proxied browser within a couple 
minutes of setting up the control/multiplex session. Something times 
out otherwise, but I haven't really sought to understand that.


At that point, Firefox ought to be able to browser your internal web 
sites.


Whew! That was long. I'll probably use this post as the rough draft 
for an article I'll post to my blog later.


--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] ProxyJump Link

[Paul Heinlein]

Someone asked about the link to SSH ProxyJump documentation. There's 
more to be said than this, but here's the link:


https://www.madboa.com/blog/2017/11/02/ssh-proxyjump/

I'll post a follow-up with a real configuration that uses that sort of 
thing in the next day or two. tl;dr: search the Internet for "ssh 
controlmaster"


--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug