On May 15, 2009, at 12:44 PM, Lois Bennett wrote:
> Hi!
>
> I need help with setting up a bastion host that will only allow users
> to ssh through. I know I should use the force command option in the
> sshd_conf file but it is being recalcitrant. Can anyone point me to a
> good tutorial on setting this up. I keep finding info about how to
> set up ssh tunneling for personal use but not how to set it up as the
> server default. The goal is a machine in the DMZ that users ssh into
> which does nothing but ssh them into the login server inside the
> firewall.
Check out jumpsh here:
http://www.occam.com/tools/
You use it by setting it as the login shell for user accounts on your
bastion host. There's a simple config file, which is just a list of
internal hosts that are acceptable places to login. When a user logs
into the bastion host, they're presented with a prompt, at which they
have to enter one of the hostnames from the config file, requiring
prior knowledge of its contents. You can further obscure things by
setting up codenames in the config file for actual internal hostnames
or IP addresses.
If the user enters an acceptable name, an SSH session to the target
is initiated, as the user. This way it's not a direct SSH passthrough,
which doesn't add much to your security.
Here's the README:
http://www.occam.com/tools/README.jumpsh-3.1
Another thing that really helps is running the external SSH service
on a non-standard port. Doing that completely eliminated brute-force
attacks on the bastion host at $WORK.
--------------------------------------------------------------------
Leon Towns-von Stauber http://www.occam.com/leonvs/
"We have not come to save you, but you will not die in vain!"
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
