search

fosshostorg / aarch64

Dashboard and API for https://console.aarch64.com
https://console.aarch64.com
GNU Affero General Public License v3.0
12 stars 7 forks source link

SSH jump users on each host to allow native SSH over v4 #19

Closed haylinmoore closed 3 years ago

haylinmoore commented 3 years ago

I think it would be beneficial for there to be a way to SSH into the VMs over IPv4. While there is the console it can be finicky and get in a limbo state where one has closed it, but it still believes it is open so one can not access it. A solution to allow for IPv4 SSH would be to create a "jump" user on each host with no password that is used to SSH jump to the IPv6 only VMs inside (https://wiki.gentoo.org/wiki/SSH_jump_host).

The base setup for this would be simple. Just adding a user called "jump" without a password like so

echo jump:U6aMy0wojraho | sudo chpasswd -e

and adding

Match User jump
   AllowAgentForwarding no
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'
   PermitEmptyPasswords yes

to the /etc/ssh/sshd_config of the hosts. This jump user can not gain a CLI or do anything besides jump to another host. The issue is then the "jump" user could be used to try to SSH into remote boxes and abused. I think SSH traffic could be limited using an iptables rule that only applies to the "jump" user but I have not had time to test that yet (https://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html).

Logging in with the jump user would be as simple as ssh -J jump@host.aarch64.com user@IPv6ofVM

natesales commented 3 years ago

Great idea! Added in 92a5f2fd2e4ba8426bb8096094b7032bde00ddf9