Secure Shell
Re: Multi Hopping by sshserver proxy with different keys Oct 12 2010 07:57AM
Nicolas Ferragu (nicolas ferragu laposte fr)
Hi fnx,
You're right but I'd like to have it without changing any habits for the
users.
In a way, I'd like to have the host field and the command field
exchanged - or having a remote command proxy option.
I think I'll have to change putty's code for that. Why not.
Best regards.

-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Phoenix Rider <fnx (at) technologitron (dot) com [email concealed]>
Pour : Nicolas Ferragu <nicolas.ferragu (at) laposte (dot) fr [email concealed]>
Date : 11/10/2010 20:14

> You could give this a shot:
>
> Putty has the ability to execute a command that you specify on connect.
>
> So, set the ssh remote command to:
>
> ssh innerhostnameoripaddress
>
> And save your profile, assuming the bastion ip/hostname is set in the
> putty host field. This will start the ssh session and execute the ssh
> command. Assuming you've got your keys set up, you should either
> achieve a shell or be prompted for your key passphrase.
>
> This is just an idea, i'm sure it can be improved or modified, but I
> hope it helps.
>
>
>
> On Mon, Sep 27, 2010 at 4:22 AM, Nicolas Ferragu
> <nicolas.ferragu (at) laposte (dot) fr [email concealed]> wrote:
>> Igor,
>>
>> My ssh-agent works well and I haven't any problem with it : I'm using
>> keychain (persistent ssh-agent across connections; from debian
>> packages), filling the .ssh/environment file to get env setted correctly
>> for that.
>>
>> Anyway, the trick doesn't work correctly since the terminal mode is raw
>> : I can succeed in logging the way I want but can't do any vi or any tab
>> command completion...
>>
>> Concerning the security level you've evaluated, I do agree with the fact
>> that one's could read bastion's memory to get access to targets' keys.
>> But :
>> 1 - I made those targets keys usable only from the bastion. If the keys
>> where on the local box, this kind of filtering couldn't be done as far
>> as my users should be able to connect from everywhere - modulus ip
>> spoofing of course.
>>
>> 2 - With all my targets keys on the bastion, I can administrate them in
>> a central way - which can't be done in the
>> distributed-to-the-local-boxes way. In particular, it's far more easy to
>> give a temporary access to anyone to any target in the bastion's holding
>> way.
>>
>> 3 - Saying the keys can be read from the bastion's memory isn't worse
>> than distributing them across local boxes which are secureless than the
>> bastion - since they are some local boxes shared by multiple people...
>> Furthermore, the keys can regularly be changed to clean those kind of
>> weakness.
>>
>> Thanks for sharing,
>> NF
>>
>>
>> -------- Message original --------
>> Sujet: Re: Multi Hopping by sshserver proxy with different keys
>> De : Igor Bukanov <igor (at) mir2 (dot) org [email concealed]>
>> Pour : Nicolas Ferragu <nicolas.ferragu (at) laposte (dot) fr [email concealed]>
>> Copie à : secureshell (at) securityfocus (dot) com [email concealed]
>> Date : 25/09/2010 12:34
>>
>>> On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu (at) laposte (dot) fr [email concealed]> wrote:
>>>> Putty conf :
>>>> connection type : raw
>>>> local proxy command : plink.exe -t %user@%proxyhost -agent "ssh
>>>> -p %port -l role %host"\n
>>>
>>> I assume "ssh -p %port -l role %host" here is a command executed on
>>> the bastion to connect to the target. Currently it does not work as
>>> the target asks for the key known only for the bastion.
>>>
>>> You mentioned that "ssh-agent running well with the target.". If that
>>> means that bastion has ssh-agent running with a key for the target
>>> then in the above command you just need to tell the ssh where to look
>>> for ssh agent socket. You can do that with env command that sets
>>> SSH_AUTH_SOCK like in:
>>>
>>> plink.exe -t %user@%proxyhost -agent "env
>>> SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host"
>>>
>>> The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For
>>> maximum convenience you may run the ssh-agent on bastion with -d
>>> option to specify the exact location of the socket like in:
>>>
>>> ssh-agent -b "$HOME/.ssh/agent-socket"
>>>
>>> and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket
>>>
>>>
>>> On the other hand the setup like that implies that one can always
>>> connect to the target if he has the key to bastion. Moreover, anybody
>>> who can login to bastion under your user name can also recover the
>>> private key for the target via inspecting ssh-agent memory. So the
>>> setup above is less secure if you would simply have the key to the
>>> target on your local box properly password-protected and loaded into
>>> putty agent.
>>>
>>> Regards, Igor
>>>
>>
>>
>> Post-scriptum La Poste
>>
>> Ce message est confidentiel. Sous reserve de tout accord conclu par
>> ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
>> engagement de la part de La Poste. Toute publication, utilisation ou
>> diffusion, meme partielle, doit etre autorisee prealablement. Si vous
>> n'etes pas destinataire de ce message, merci d'en avertir immediatement
>> l'expediteur.
>>
>

--

Groupe La Poste

Nicolas Ferragu

Architecte SI
Direction de la Production, Service A2I

*CSP* - CENTRE DE SERVICES PARTAGES
DSICORP - DIRECTION DES SYSTEMES
D'INFORMATION CORPORATE

19 BD GASTON DOUMERGUE
44262 NANTES CEDEX 2
Tél. : 02 51 84 49 43
nicolas.ferragu (at) laposte (dot) fr [email concealed] <mailto:nicolas.ferragu (at) laposte (dot) fr [email concealed]>
www.laposte.fr <http://www.laposte.fr>
Adresse visiteur : Immeuble Atlantica

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus