SSH jump server access control?
-
I've seen a few different projects / services built around Apache Guacamole that might suit your needs.
Basically the user connects to the Guacamole / jump box but you would have to administratively create the "bookmarks" or connections that their user would be able to use from there.
For the life of me, I can't seem to find anything today, but unless I was imagining things I'd come across a couple of setups that could possibly meet your needs about a month or 2 ago.
-
Blocking by user sounds like a complete fucking mess.
Why not just add TOTP based 2FA to your
ssh
or something? It is available on pretty much everything.You have key based auth only access already right? How much cost are you wanting to add here? Versus how much actual risk?
I mean the only purpose of this is to protect from a compromised internal user that uses
ssh
. The threat level should mean something extremely targeted is already the only credible attack vector. -
@JaredBusch said in SSH jump server access control?:
Blocking by user sounds like a complete fucking mess.
Why not just add TOTP based 2FA to your
ssh
or something? It is available on pretty much everything.You have key based auth only access already right? How much cost are you wanting to add here? Versus how much actual risk?
I mean the only purpose of this is to protect from a compromised internal user that uses
ssh
. The threat level should mean something extremely targeted is already the only credible attack vector.A lot of threats are internal. But internal could also mean contractor or another external party. Or someone getting hold of their credentials, like in the uber attack (search "mfa fatigue").
It's very common to limit network access on a user basis, I just didn't know how it was done on an ssh jump server.
PS. I actually think outgoing access control can be done in the jump servers sshd_config directly. Keywords are ProxyJump, PermitOpen, Match on user and disable shell.
In theory the jump server can then only be used to jump to other servers and only the ones that are allowed for each user.
-
@Pete-S said in SSH jump server access control?:
It's very common to limit network access on a user basis, I just didn't know how it was done on an ssh jump server.
Not that common, even on Wall St. and Federal Government I've never seen it used. So much complication for essentially no value. Since you already limit by user, what additional benefit does it add? In theory, it's a MFA that says "X user will only exist at Y address" and yes, that's not a non-zero value. But it's a really low value. In the modern world, being able to limit users to a pre-determined set of network addresses AND correctly identifying those addresses (instead of identifying the jump server for example) is both impractical and ineffective. Exceptions exist, but it's... weird.
-
@Pete-S said in SSH jump server access control?:
PS. I actually think outgoing access control can be done in the jump servers sshd_config directly. Keywords are ProxyJump, PermitOpen, Match on user and disable shell.
That's possible, too. But outbound can be done at the firewall.
-
@scottalanmiller said in SSH jump server access control?:
@Pete-S said in SSH jump server access control?:
It's very common to limit network access on a user basis, I just didn't know how it was done on an ssh jump server.
Not that common, even on Wall St. and Federal Government I've never seen it used. So much complication for essentially no value. Since you already limit by user, what additional benefit does it add? In theory, it's a MFA that says "X user will only exist at Y address" and yes, that's not a non-zero value. But it's a really low value. In the modern world, being able to limit users to a pre-determined set of network addresses AND correctly identifying those addresses (instead of identifying the jump server for example) is both impractical and ineffective. Exceptions exist, but it's... weird.
Nowadays we see it all the time when given access to enterprise server infrastructure. Everything is completely locked down to just the IPs and ports needed. That wasn't the case say 5-6 years ago.
So it seems standard to me, but who knows? They probably have it in their admin tools so no extra work needed. I highly doubt there is any manual work involved.
-
@Pete-S said in SSH jump server access control?:
Nowadays we see it all the time when given access to enterprise server infrastructure. Everything is completely locked down to just the IPs and ports needed. That wasn't the case say 5-6 years ago.
We see that as a standard limitation by company, not by user, and "to" site, not to resource within a site.
So for example, NTG's Jump IP address is provided to customers who allow access to the entry point at the site (outside firewall) to a resource only from that IP address.
But they don't check users at that time, they check user ID at a different time (since they don't know the user till after the connection is made) and it's not such a wild pool.
-
@Pete-S said in SSH jump server access control?:
So it seems standard to me, but who knows? They probably have it in their admin tools so no extra work needed. I highly doubt there is any manual work involved.
Seems like their must be. Somehow you have to track every potential IP of every potential user and map that to resources inside the network which would likely require all kinds of special code on every service. But it also has to be done BEFORE access to exist. HOW do they do it, I wonder?
Dollars to donuts most vendors claiming this don't actually do it and no one knows how to check so they don't realize it isn't happening and so there are lots of people verifying it and so it seems reasonable that it's happening. But I bet it isn't.
-
The challenge is really that you have to identify a person on the network separately from their identity to applications. Generally networks are not user aware.
-
@scottalanmiller said in SSH jump server access control?:
The challenge is really that you have to identify a person on the network separately from their identity to applications. Generally networks are not user aware.
I believe the user-based network restrictions only extends to the target server(s). So outbound from the jump server. (As you said one jump server / IP per user and then firewalled off would be one way to do it).
So someone could potentially move laterally efter they have logged in to the target server. But other servers will probably only accept connections from jump servers so it would be hard. Which is on purpose of course.
-
@Pete-S said in SSH jump server access control?:
So someone could potentially move laterally efter they have logged in to the target server. But other servers will probably only accept connections from jump servers so it would be hard. Which is on purpose of course.
If that's the limitation you/they are looking for, outside edge IP detection to network access as a whole, then it's a totally different game and I think it makes total sense. THAT you can control with SSH itself no problem.
-
-