I want to access a web application running on a web server behind my office firewall from an external machine.
We have a bastion host running sshd that is accessible from the Internet.
I want to know if this solution is a bad idea:
- Create an account on the bastion host with shell=/bin/false and no password ('testuser')
- Create a ssh RSA key on the external machine
- Add the public RSA key to the testuser's authorized_keys file
- ssh to the bastion host from the external host using: ssh -N 8888:targethost:80
- run my tests from the external host
- shut down the ssh tunnel
I understand that if my RSA private key were compromised then someone could ssh to the bastion host. But are there other reasons this solution is a bad idea?
thank you!
Best Answer
I think this is a pretty secure setup, I use it myself. You will need to add '-L' to your command:
As long as you don't use the '-g' option, only your client machine can access the port forward.
What I would recommend also is to make sshd on the bastion host listen on a non-standard port. If you are listening on a standard port, the attack traffic sometimes can eat up considerable amounts of CPU.
Also choose a good passphrase for your ssh key, and enter it only on trusted machines. Preferably Linux, it is less trivial to install keyloggers on Linux.