0

We have isolated servers when I need to enable/disable access to the server through jump host when admin requested.

I am using openssh-server-8.9 on all machines and the client and server are using Ubuntu 22 .04 operating system.

For example, If the admin requested to enable S1 access and disable S2 and S3 access.

Currently,

  1. I am copying the public key of the jump host to the S1 server into authorized_keys and

  2. using awk/sed to remove the public key of the jump host in authorized_keys in the other two servers

  3. Update /etc/ssh/ssh_config with jump host.

Is there any best approach to automate this procedure in an effective way?

                                                                            +---------------+
                                                                            |               |
                                                                            |               |
                                                                            |               |
                                                             +-------------->               |
                                                             |              |     S1 Server |
                                                             |              |               |
                                                             |              |               |
                                                             |              +---------------+
                                                             |
+-----------------+               +------------------+       |
|                 |               |                  |       |
|                 |               |                  |       |                +--------------+
|    Client       |               |                  |       |                |              |
|                 +-------------->|    Jump Host     +-------+                |              |
|                 |               |                  |       |                |              |
|                 |               |                  |       |                |              |
+-----------------+               +------------------+       |                |  S2 Server   |
                                                             +---------------->              |
                                                             |                |              |
                                                             |                |              |
                                                             |                +--------------+
                                                             |
                                                             |
                                                             |
                                                             |                 +--------------+
                                                             |                 |              |
                                                             |                 |              |
                                                             |                 |              |
                                                             |                 |              |
                                                             |                 |   S3 Server  |
                                                             |                 |              |
                                                             +----------------->              |
                                                                               |              |
                                                                               |              |
                                                                               +--------------+
Mallikarjunarao Kosuri
  • 1,023
  • 7
  • 25
  • 52
  • How many clients (persons, not systems) do you have? I understand you are using a single account on Jump to ssh to S1…3 is that right? More questions, where is "the admin" can s/he log in directly to any host? Does s/he also have to enter through Jump? + Be VERY careful with allow/deny access to the same person. Once a person is in, if s/he is knowledgeable enough, it's really difficult to guarantee s/he has not planted some trap to enter again whenever s/he wants. There are millon ways to do it. You should probably move this question to https://security.stackexchange.com/ – Toni Homedes i Saun Apr 15 '23 at 06:40
  • A random Person wants to debug something on the host. Admin sits in the same network as the server sits, he can log in to any host at any point in time. The admin will enable SSH configuration and restart the SSH server on the host when a client wants to connect S1/S2/S3. Each enables request a client linux guest user will be created and will be deleted after disabling the request. still, will s/he use any trap even the creation of guest accounts? – Mallikarjunarao Kosuri Apr 15 '23 at 17:17

0 Answers0