I need to have a group of users hop through a server ('bastion') into another machine ('dest') via ssh to commit code.
Seems like my options are:
tell users to use
ProxyCommandin their .ssh/config file, something like:Host destProxyCommand ssh -q bastion nc -q0 dest 22use
ForceCommandin the sshd config file, likeMatch Group hopUsersForceCommand ssh dest $SSH_ORIGINAL_COMMANDuse the
commandoption in the.ssh/authorized_keysusers' file, likecommand="ssh dest"
The first solution is great, it works with mercual commits, etc. -- The problem is that I don't want to give my users a valid shell on the bastion machine. I could set their login shell to /bin/false, but this leaves a whole set of issues unattended (see here) -- unless perhaps coupled with a dedicated set of options (like noX11Forwarding) in the sshd config file, within a Match stanza.
The problem with the second and third solution is that public key authentication is 'lost', i.e. unless the client uses the -A option when launching ssh, the server will respond with:
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/XXXXXX
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_ALL = en_US.UTF-8
debug1: Sending env LANG = en_US.UTF-8
Hence requesting the user password. This is not acceptable.
I think there is something that can be done with nc in proxy mode, but I can't seem to get it to work.
Any help would be greatly appreciated.
No comments:
Post a Comment