How to configure a Jump Proxy

“Security” by CarbonNYC [in SF!] is licensed with CC BY 2.0.

A Jump Proxy or Jump Host is a server or device that is used as a bridge to connect to another device that is usually on a local area network (LAN), the Jump Proxy is accessible via external IP and it must implement rules of security that protect both the Jump Proxy and the LAN.

The first step to configure a Jump Proxy is to create a user for this purpose.

Create the user

$ adduser jumper

After that we must configure the SSH service to restrict the user and only allow TCP redirection, for this we can edit the configuration file of the sshd service.

Edit sshd_config

Open the /etc/ssh/sshd_config file with your favorite text editor and add the following lines:

Match User jumper
   AllowAgentForwarding no
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   ForceCommand echo 'This user can only be used as a jumper  (ssh -J)'

If we try to connect to our Jump Proxy server with:

$ ssh jumper@Server-IP-Or-Domain

You get this message:

This user can only be used as a jumper  (ssh -J)

Add your VMs or Bare metal devices to /etc/hosts

This step is not necessary if you have a DNS service on your LAN, the important thing is that the Jump Proxy server knows the IP addresses of the devices you want to connect to.

# VM IPs
192.168.100.2 vm1
192.168.100.3 vm2
192.168.100.4 vm3

Connect to your VM

To connect to the virtual machines we must use a ssh client that has the Jump (-J) option.

$ ssh -J jumper@Server-IP-Or-Domain admin@VM

Where:

  • Server-IP-Or-Domain: is the Jump Proxy IP or domain name.
  • VM: can be any name added to the /etc/hosts file (vm1, vm2, vm3).

The ssh service will ask for jumper’s password and in a second step the password for admin (The admin user must have been created previously in each of the VMs), later I will explain how to use public and private keys instead of username and password.

Use Cygwin

If you are a Windows user I recommend you to migrate to GNU/Linux :) if you can’t… you must install Cygwin or Windows Terminal if you are using Windows 10, I prefer Cygwin because I can get a full GNU/Linux environment.

Download Cygwin

Download the installer from setup-x86_64.exe

Install

Execute the installer and check the OpenSSH package, then next, next, next.

Start Cygwin

After Cygwin is started you can type this command:

$ ssh -J jumper@Server-IP-Or-Domain admin@VM

Using public and private keys

Public and private keys authentication improves security and it frees the users from remembering complicated passwords, but it has the con that you have to maintain the authorized_keys file (the authorized_keys file is located under the .ssh directory), before connecting verify:

  1. The .ssh DIR has 700 (rwx——) perms
  2. The authorized_keys file has 600 (rw——) perms
  3. The public key in the authorized_keys file should be identical to your public key file. You can find you public key (.pub file) under your .ssh DIR.

Generate the keys

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tester/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tester/.ssh/id_rsa
Your public key has been saved in /home/tester/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:arSKOaNmL/YX1Y7IwuiLVicHh8bjrQDidqMXzXfY58U tester@testing
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|                 |
|  . .   .        |
|o  * . . .       |
|+ = O + S   .    |
| = X @ * + . E   |
|o = O * . o .    |
|.Oo= +     .     |
|BoO=o            |
+----[SHA256]-----+

Leave the passphrase empty otherwise you will have to type the phrase every time you connect to the VM, the previous command generated 2 files:

id_rsa  
id_rsa.pub

Now you must copy/add the content of the public key to the authorized_keys file. Never provide your private key because it is like the your home padlock key :).

Copy the public key to the Jump Proxy Server

  1. You can authenticate to the server through ssh using the root user or another user created for that purpose
    $ ssh root@Server-IP-Or-Domain
    
  2. With this command we authenticate as jumper user and start in the home DIR:
    # su - jumper
    
  3. Open the .ssh/authorized_keys file with your favorite editor.
  4. Add the public key content: id_rsa.pub
  5. Save

Copy the public key to the VM

The procedure for the virtual machine is simpler, just run:

$ ssh-copy-id -i .ssh/id_rsa.pub -o 'ProxyJump jumper@Server-IP-Or-Domain' admin@VM

Enter the password for the admin user, then you can connect to the virtual machine using public and private keys.

$ ssh -J jumper@Server-IP-Or-Domain admin@VM

If the above command seems too long then create the .ssh/config file and add:

Host proxy
    HostName Server-IP-Or-Domain
    Port 22
    User jumper
Host vm1
    HostName vm1
    Port 22
    User admin
    ProxyJump proxy
Host vm2
    HostName vm2 
    Port 22
    User admin
    ProxyJump proxy
Host vm3
    HostName vm3 
    Port 22
    User admin
    ProxyJump proxy

Now you can connect typing:

$ ssh hostname

where hostname = vm1, vm2 o vm3.

Further readings

  • man ssh
  • man sshd_config
YouTube video

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.