Phew spent most of the day thinking about this but have come up a plan moving forward. I have decided that we will continue to use SSH and SOCKS as we have been successfully doing so with a couple of improvements:
1. OpenSSH supports ProxyJump which you can use in ~/.ssh/config or as a -J directive. This will automatically pass your SSH tunnel through a hardened proxy server which you can set up individual users and then restrict SSH access from your Astlinux servers to this Jump server only. It seems to work well from my limited testing and Astlinux can be a Jump server. 2. As Lonnie mentioned we will script the addition and removal of SSH keys from devices from a trusted device (my laptop probably) Thanks guys for your help. Regards Michael Knill From: Michael Keuter <li...@mksolutions.info> Date: Saturday, 19 August 2023 at 2:20 am To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Accessing devices behind Astlinux Here is also an interesting video regarding jump servers: https://www.youtube.com/watch?v=KIeBC7NIzj4 Michael http://www.mksolutions.info > Am 18.08.2023 um 17:44 schrieb Michael Keuter <li...@mksolutions.info>: > > Nice video, very interesting. > > BTW: on macOS you can install Proxychain via Homebrew with: > > brew install proxychains-ng > > and call it with "proxychain4 firefox". > >> Am 18.08.2023 um 17:02 schrieb Lonnie Abelbeck <li...@lonnie.abelbeck.com>: >> >> Hi Michael, >> >> I don't have any personal experience to share, but Tom Lawrence has a >> related video [1] >> >> Youtube: SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains >> >> I suspect this could all be done with SSH+SOCKS (Proxychains) and no OpenVPN >> tunnel as his example does. >> >> Key takeaways are to encrypt the Jump Server's drive (and backup), keep it >> local and secure from the internet, limit remote AstLinux SSH access via its >> firewall and Jump Server ssh key. >> >> >> Alternatively, some sort of automation to keep the remote AstLinux SSH keys >> updated from one hardened location. >> >> Lonnie >> >> [1] https://www.youtube.com/watch?v=jqudlmfG0zA >> >> >> >>> On Aug 18, 2023, at 2:17 AM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>> Hi All >>> >>> Here is the issue: >>> We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. >>> It works well however it is becoming increasingly difficult in managing >>> local authentication to do this such as using SSH Keys. >>> We are going to be bringing on additional staff and I don’t want to have to >>> go into every system to add credentials or keys every time we bring on a >>> new staffmember. >>> >>> Just wondering if there are any options for external authentication of SSH >>> rather than local on Astlinux e.g. using RADIUS >>> Could there be any other options e.g. HTTPS proxy? >>> >>> Regards >>> >>> Michael Knill >>> Managing Director _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
