We have bastion server B.
We need to SSH from A through B to C, using private key.
What is the better option:
-
Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.
From here:
Never place your SSH private keys on the bastion instance. Instead,
use SSH agent forwarding to connect first to the bastion and from
there to other instances in private subnets. This lets you keep your
SSH private key just on your computer. -
Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:
TCP forward: Setting this value to true will enable TCP forwarding
(SSH tunneling). This can be very useful but it is also a security
risk, so we recommend that you keep the default (disabled) setting
unless requiredAlso from here:
SSH Agent Forwarding considered harmful
What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?
Best Answer
Use ProxyCommand or ProxyJump
I would recommend to use
ProxyCommand
(or even betterProxyJump
as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.Example with ProxyJump
On your client computer you write a file under
~/.ssh/config
with a similar content to bellow:Then doing
ssh srvC
will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the
HostName
you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update theUser
for the correct login name on the Bastion and server C. Finally theIdentityFile
is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.Deploying the public keys
Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):
Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.
Example with ProxyCommand instead of ProxyJump
If you have an older version of OpenSSH which does not support
ProxyJump
(on the client side), then replace:by
As far as I understood, this is similar.