anazmy
commented
7 years ago Interesting use case.
But passing the server authentication first i.e. before reaching aker as "user@destinationhost" wont work .
Open ghost opened 7 years ago
anazmy
commented
7 years ago Interesting use case.
But passing the server authentication first i.e. before reaching aker as "user@destinationhost" wont work .
ghost
commented
7 years ago We could use the first parameter of the ssh connection as destination host, using the same format that passing a script to execute, for example:
ssh user@bastionhost dest:destinationhost -> This will connects to the destinationhost ssh user@bastionhost command -> If first attribute does not start with dest:, it will be treated as command ssh user@bastionhost -> This will connects to the bastion host and shows the connection list
Oneiroi
commented
7 years ago Recreating the functionality inherent in OpenSSH would make some sense.
Aker would need to handle the clients sending of a proxy command however.
debug1: Executing proxy command: exec ssh -W xxx.xxx.xxx.xxx:XX [hostname]
this would allow for greater utility and lower maintenance overhead where the destination hosts are under frequent change as you would push the configuration down to the end user and not to the system itself.
So whilst I do like this idea, I do not at this time understand the implications of implementing it fully.
cowreth
commented
7 years ago Input : OpenSSH store the "$SSH_ORIGINAL_COMMAND" env when a user makes a connexion.
Example with the command "Env" entered as ForceCommand in sshd_config :
$ ssh test@bastion-aker echo "test"
Password:
Could not chdir to home directory /home/test: Permission denied
XDG_SESSION_ID=15
SELINUX_ROLE_REQUESTED=
SHELL=/bin/sh
SSH_CLIENT=1.2.3.4 45360 22
SELINUX_USE_CURRENT_RANGE=
USER=test
MAIL=/var/mail/test
PATH=/usr/local/bin:/usr/bin
PWD=/
LANG=fr_FR.UTF-8
SELINUX_LEVEL_REQUESTED=
KRB5CCNAME=KEYRING:persistent:198200012
SHLVL=1
HOME=/home/test
**SSH_ORIGINAL_COMMAND=echo test**
LOGNAME=test
SSH_CONNECTION=10.59.100.156 45360 10.3.95.168 22
XDG_RUNTIME_DIR=/run/user/198200011
_=/usr/bin/envMaybe we can hook that to initiate the hop to the next server ?
anazmy
commented
7 years ago Thx @cowreth I was testing something similar for a different feature, might consider it here too
Using the same format of cryptoauditor connections or an alternative, it would be great to direct connect the final server instead of using a list if you know the hostname or the ip address.
For example:
ssh user@destinationhost@bastionhost -> This will connects to the destinationhost ssh user@bastionhost -> This will connects to the bastion host and shows the connection list