The Linux Jumpbox: How to
-
@g.jacobse said:
@scottalanmiller said:
When you log into the production jump box and access other machines, that's all that there is to it. It is literally the hardened box with keyed access to all the other UNIX servers that makes it a jump box. It's just a "launch point" for SSH access.
So, once your Jumpbox is setup with the SSH keys, you log in to Linux1, then connect to Linux 2 and go from there? Not log into Linux1 and send command to Linux 2?
From my understanding you can do it either way.
-
@g.jacobse said:
@scottalanmiller said:
When you log into the production jump box and access other machines, that's all that there is to it. It is literally the hardened box with keyed access to all the other UNIX servers that makes it a jump box. It's just a "launch point" for SSH access.
So, once your Jumpbox is setup with the SSH keys, you log in to Linux1, then connect to Linux 2 and go from there? Not log into Linux1 and send command to Linux 2?
No, typically you would have access ONLY from the Jump box to the other boxes. You would not normally want access from the boxes to each other. The point of the jump box is to have a single point of access, not to allow a mesh of access as that means that ANY compromise is a COMPLETE compromise. The Jump box is a single point to lock down and designed to increase security, but a mesh would decrease it.
-
A big advantage of a Jump box is the ability to audit for bad access more easily (one log that is really, really important and easier to spot bad actors on other systems as they won't be from the jump box) and an easier time tracking individual users across a UNIX estate.
Jump boxes, when done correct, leave you with minimal effort to use but very high security. In a large server farm, should be way easier than not having a jump server at all.
-
@scottalanmiller said:
@g.jacobse said:
@scottalanmiller said:
When you log into the production jump box and access other machines, that's all that there is to it. It is literally the hardened box with keyed access to all the other UNIX servers that makes it a jump box. It's just a "launch point" for SSH access.
So, once your Jumpbox is setup with the SSH keys, you log in to Linux1, then connect to Linux 2 and go from there? Not log into Linux1 and send command to Linux 2?
No, typically you would have access ONLY from the Jump box to the other boxes. You would not normally want access from the boxes to each other. The point of the jump box is to have a single point of access, not to allow a mesh of access as that means that ANY compromise is a COMPLETE compromise. The Jump box is a single point to lock down and designed to increase security, but a mesh would decrease it.
I would think that you would only jump to one at a time. that to just to one, then jump to another would create points of failure, and possible confusion. Not to mention possible lag issues.
I know I did that almost 20 years ago on Ham radio, but jumping to a local BBS then hopping around the world and back to the same node I started from. The delay was long and the retries very high. It was neat to hope around the world on VHF to HF and back. but served no purpose.
-
Good night, good night! parting is such sweet sorrow,
That I shall say good night till it be morrow. -
@anonymous said:
@scottalanmiller You should write a quick how to, I too would like to set it up.
Will do.
At a lunch meeting with @Minion-Queen right now.
-
@scottalanmiller said:
@anonymous said:
@scottalanmiller You should write a quick how to, I too would like to set it up.
Will do.
At a lunch meeting with @Minion-Queen right now.
It is 4:13pm on the east coast. Bit of a late lunch.
-
Yeah we have been too busy to do anything before now. It is crazy!
-
@JaredBusch said:
@scottalanmiller said:
@anonymous said:
@scottalanmiller You should write a quick how to, I too would like to set it up.
Will do.
At a lunch meeting with @Minion-Queen right now.
It is 4:13pm on the east coast. Bit of a late lunch.
Had meetings that ran over. It was VERY late lunch.
-