SSH in Bastion Mode with Jump Host Option

Fudo Enterprise allows for establishing a connection to a server using the Jump Host option.

This scenario assumes that when the user connects to a server acting as a Jump Host (192.168.10.90) via the SSH protocol, it automatically connects to the target server. The user must specify the following in the login string:

  • Username,
  • Account login on the Jump Host,
  • Address of the Jump Host,
  • Account login on the target server,
  • Address of the target server.

Prerequisites

Description below assumes that the system has been already initiated. The initiation procedure is described in the System initiation topic.


Configuration


Adding a Jump Host Server

Server is a definition of the IT infrastructure resource, which can be accessed over one of the specified protocols.


In the following configuration, provide the details of the server acting as the Jump Host.


  1. Select Management > Servers.
  2. Click Add server.
  1. Provide essential configuration parameters:
Parameter Value
Name ssh_server
Description fail
Blocked fail
Protocol SSH
Legacy cipher fail
Bind address Any
   
Destination  
IPv4 192.168.10.90
Port 22
  1. In the Server verification section select Server public key and click Get public key or provide respective public key data.
  2. Click Save and Exit.

Adding a User

User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed object definition (i.e. unique login and domain combination, full name, email address etc.) enables precise accountability of user actions when login and password are substituted with a shared account login credentials.


  1. Select Management > Users.
  2. Click Add.
  3. Provide essential user information:
Parameter Value
General  
Name john_smith
Role user
Blocked fail
Account validity Indefinite
   
Settings Tab  
Safes fail
   
Authentication section  
Authentication failures fail
Enforce password complexity fail
Add authentication method: Static password
Password john
   
User Data Tab  
Fudo domain fail
AD Domain fail
LDAP Base fail
Full name John Smith
Email john@smith.com
Organization fail
Phone fail
   
Permissions Tab  
Granted users fail
  1. Click Save.

Adding a Listener

Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its specifics.


  1. Select Management > Listeners.
  2. Click Add listener.
  1. Provide essential configuration parameters:
Parameter Value
Name ssh_listener
Blocked fail
Protocol SSH
Legacy cipher fail
Case insensitive fail
   
Permissions  
Authorized users fail
Connection mode Bastion
Local address 10.0.150.151
Port 22
External address fail
External port fail
  1. Click i to generate an SSH key or i to upload the server’s private key.

Note

For security reasons, the form will display the public key corresponding to the uploaded or generated private key.

  1. Click Save and Exit.

Note

Ensure that administrative access is not enabled in the network settings for the specified IP address - .

Adding an Account

Account defines the privileged account existing on the monitored server. It specifies the actual login credentials, user authentication mode: anonymous (without user authentication), regular (with login credentials substitution) or forward (with login and password forwarding); password changing policy as well as the password changer itself.


  1. Select Management > Accounts.
  2. Click Add account.
  1. Provide essential configuration parameters:
Parameter Value
Name admin_ssh_server
Blocked fail
Type REGULAR
Session recording noraw
Notes fail
   
Permissions  
Granted users fail
   
Target  
Server ssh_server
   
Credentials  
Domain fail
Login root
Replace secret password
Password password
   
Data retention  
Override global retention settings fail
  1. Click Save and Exit.

Adding a Safe

Safe directly regulates user access to monitored servers. It specifies available protocols’ features, policies and other details concerning users and servers relations.


  1. Select Management > Safes.
  2. Click Add safe.
  1. Provide essential configuration parameters:
Parameter Value
Name ssh_safe
Blocked fail
   
General  
Login reason fail
Session timeout fail
Session inactivity timeout fail
   
Functionality  
RDP fail
SSH ok
VNC fail
  1. Go to the USERS tab.
  2. Click Manage users.
  3. Find and select the user john_smith.
  4. Click Save.
  5. Go to the ACCOUNTS tab.
  6. Click Add account.
  7. Find and select the account admin_ssh_server.
  8. Click Save.
  9. Click in the Listeners column.
  10. Find and select the object ssh_listener.
  11. Click Save.
  12. Click Save and Exit.

Establishing a Connection

To establish a connection, use the following login string format in the terminal. The example below demonstrates logging in as root to the server 192.168.0.110 via the Jump Host server at 192.168.10.90.

ssh -J '<fudo-user>%%<jump-host-server-user>%%<jump-host-server-address>@<fudo-address>' <target-server-user>@<target-server-address>

Example:

ssh -J 'john_smith%%root%%192.168.10.90@10.0.150.151' root@192.168.0.110

Related Topics: