Open ghost opened 7 years ago
Interesting use case.
But passing the server authentication first i.e. before reaching aker as "user@destinationhost" wont work .
We could use the first parameter of the ssh connection as destination host, using the same format that passing a script to execute, for example:
ssh user@bastionhost dest:destinationhost -> This will connects to the destinationhost ssh user@bastionhost command -> If first attribute does not start with dest:, it will be treated as command ssh user@bastionhost -> This will connects to the bastion host and shows the connection list
Recreating the functionality inherent in OpenSSH would make some sense.
Aker would need to handle the clients sending of a proxy command however.
debug1: Executing proxy command: exec ssh -W xxx.xxx.xxx.xxx:XX [hostname]
this would allow for greater utility and lower maintenance overhead where the destination hosts are under frequent change as you would push the configuration down to the end user and not to the system itself.
So whilst I do like this idea, I do not at this time understand the implications of implementing it fully.
Input : OpenSSH store the "$SSH_ORIGINAL_COMMAND" env when a user makes a connexion.
Example with the command "Env" entered as ForceCommand in sshd_config :
$ ssh test@bastion-aker echo "test"
Password:
Could not chdir to home directory /home/test: Permission denied
XDG_SESSION_ID=15
SELINUX_ROLE_REQUESTED=
SHELL=/bin/sh
SSH_CLIENT=1.2.3.4 45360 22
SELINUX_USE_CURRENT_RANGE=
USER=test
MAIL=/var/mail/test
PATH=/usr/local/bin:/usr/bin
PWD=/
LANG=fr_FR.UTF-8
SELINUX_LEVEL_REQUESTED=
KRB5CCNAME=KEYRING:persistent:198200012
SHLVL=1
HOME=/home/test
**SSH_ORIGINAL_COMMAND=echo test**
LOGNAME=test
SSH_CONNECTION=10.59.100.156 45360 10.3.95.168 22
XDG_RUNTIME_DIR=/run/user/198200011
_=/usr/bin/env
Maybe we can hook that to initiate the hop to the next server ?
Thx @cowreth I was testing something similar for a different feature, might consider it here too
Using the same format of cryptoauditor connections or an alternative, it would be great to direct connect the final server instead of using a list if you know the hostname or the ip address.
For example:
ssh user@destinationhost@bastionhost -> This will connects to the destinationhost ssh user@bastionhost -> This will connects to the bastion host and shows the connection list