Hi,
Le 2015-03-08 11:57, Mohammad alizadeh a écrit :
Hi experts,
I have a security issue in my last Openstack deployment.
As an enforced security policy, my Datacenter firewall blocks every ssh
requests except those sent to one valid IP address(specific machine in
DMZ). So, by this rule customers can not access to their instances via
ssh. Is there a way to allow customers to connect to their instances
remotely via ssh? How can I use this single ssh-allowed machine to
connect customers to their instances via ssh?(maybe using VPN or other
techniques)?
A dedicated VPN box could be a solution, but requires more ports open on
your DMZ firewall and a bit of work to get server as well as clients
running.
You can also setup additional accounts on the box that has SSH allowed
and let customers use those as a jump-box.
From there they may reconnect to their own boxes.
They may automate it a bit by putting something similar to the following
in their .ssh/config
Host VM_HOST
ProxyCommand ssh JUMP_BOX -W %h:%p
This approach has security implications, as your customers technically
have access to your server's shell.
You may restrict that by allowing only the ssh command in their
public_key entry of .ssh/authorized_keys (on jump-box). This may require
some more work as in
http://binblog.info/2008/10/20/openssh-going-flexible-with-forced-commands/.
Also they need to use ssh keys.
Finally, if only one IP is allowed through your firewall, I guess that
the security guys want to prevent entry. Thus circumventing the rule by
proxying the connections does not look like the best way to go. Maybe
re-evaluating customer needs with the security team would help finding a
better solution to the problem.
HTH.
--
Ahmed R.
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
