Proxy SSH connections through jump host

[KevinHock]

I hit the same thing today, I see 2 options for what to do with the user (a) a flag will have to be added for auth.method to be 'agent' or (b) when there isn't a password or a key, try to get it from the agent. I guess (a) is more work but clearer.

Without the -k I get

    File "build/bdist.linux-x86_64/egg/margaritashotgun/client.py", line 54, in run
    File "build/bdist.linux-x86_64/egg/margaritashotgun/workers.py", line 75, in spawn
    File "/usr/lib/python2.7/multiprocessing/pool.py", line 558, in get
      raise self._value
    AttributeError: SSHTunnel instance has no attribute 'local_port'

Control flow seems to reach https://github.com/ThreatResponse/margaritashotgun/blob/master/margaritashotgun/remote_host.py#L62 but I'm not sure why it isn't crashing with AuthenticationMethodMissingError instead of the AttributeError.

For getting Paramiko to get the private key from the agent instead of the command line I was thinking you could use http://docs.paramiko.org/en/2.0/api/agent.html#paramiko.agent.AgentRequestHandler

[joelferrier]

I think splitting jump hosts and agent authentication may simplify things a bit. I think we can implement jump hosts without adding agent authentication, but should definitely support it as an option later on.

SSH connections can be nested by creating a channel by calling open_channel on transport from an existing ssh connection (like to the jump host).

The next hop to the target host can be opened by passing the channel object from above as a named argument sock.

This stackoverflow post follows a similar pattern to what I'm thinking.

This should drop right in for the RemoteShell class, the SSHTunnel class will look quite different and take a bit more work but should be doable. Some additional arguments will be required for specifying credentials for the jump host as well.

Let me know what you think about this method of nesting ssh connections.

---

I ran into that AttributeError as well yesterday evening. The exception occurs when the SSHTunnel class encounters an error while connecting and then SSHTunnel.cleanup is called.

    def cleanup(self):                                                                        
        """
        Cleanup resources used during execution
        """
        logger.debug(("Stopping ssh tunnel {0}:{1}:{2} for "
                      "{3}@{4}".format(self.local_port,
                                       self.remote_address, self.remote_port,
                                       self.username, self.address)))

The root cause is that the local_port passed to SSHTunnel.start isn't cast to an integer in remote_host https://github.com/ThreatResponse/margaritashotgun/blob/master/margaritashotgun/remote_host.py#L139

I'll open a separate issue for this bug and wrap up my patch with an additional case in SSHTunnel.cleanup and the cast on local_port this evening.

[KevinHock]

That sounds great 👍 I think most people will either (a) want to run margaritashotgun on their laptop and then be able to go through their bastion/jumpbox server to dump memory on any server or (b) have margarita on their jumpbox and be able to, from there dump memory on any server. After you implement the nesting, I'll implement a solution to any problems Duo 2fa causes paramiko.

[joelferrier]

Jump Host support is merged to master.

I'm still tweaking a few things and updating documentation but it should be worth a quick test when you have a chance. I've included a Vagrantfile for testing as well as an example configuration file that should work with the vagrant boxes.

The new flags introduced are --jump-[server|port|username|password|key] which behave like the --server, --port, --username, --password, and --key flags.

A new revision should be landing in pypi with jump host support and the repository refactor in the next week or two.

[KevinHock]

Awesome! 👍

[joelferrier]

I missed closing this out, a new release is finally out with jump host support as documented here