Use Case: You have got some server in cloud that are not exposed to internet directly. You have one server called (bastion host) by which you can login to the back end servers.
You can login to the bastion host and from there, you can login to the rest of the server that are not exposed to internet. In this way you need to keep the files on bastion host that is not good.
With the help of agent forwarding you don't need to store private key on bastion host, key will be on your local machine and via ssh agent-forwarding the same key would be used to login to the back end server.
I believe that you already know how to login to linux server with key authentication. If not then you can find it here
I assume that you already have setup login via private key on destination server.
I assume that you got host1(client) bastion(middle Server, bastion host) and server1 (Destination Server). With the help of SSH Agent forwarding I can login from host1>bastion>server1 without storing any private key on bastion.
From a network perspective, you ideally want your private servers only accessible via a bastion host or other intermediary host that doesn't contain any of private key.
On Server: You don't need to do anything if you have setup login via private/public key authentication
On Client:
Add your key to your ssh deamon
$ ssh-add "/home/keys/private.pem"
You will receive the below out put
$ ssh-add /home/keys/private.pem
Identity added: /home/keys/private.pem (/home/keys/private.pem)
You may allow Agent forwarding in sshd_config file or can issue in command as well
You can specify -A in ssh command to use agent forwarding
SSH Client configuration
The SSH clients should be configured to allow agent forwarding. The following entry should be added in/etc/ssh/ssh_config file to apply this change for all users in the server, or /home/user/.ssh/config file to apply this change only to specific user.
Host *
ForwardAgent yes
The above enable agent forwarding from all hosts. It is an aggressive setting. You may want to restrict it to specific hosts depending on your use case.
ssh -At bastion.example.com ssh server1.example.com
This will take you to server1.example.com
You can login to the bastion host and from there, you can login to the rest of the server that are not exposed to internet. In this way you need to keep the files on bastion host that is not good.
With the help of agent forwarding you don't need to store private key on bastion host, key will be on your local machine and via ssh agent-forwarding the same key would be used to login to the back end server.
I believe that you already know how to login to linux server with key authentication. If not then you can find it here
I assume that you already have setup login via private key on destination server.
I assume that you got host1(client) bastion(middle Server, bastion host) and server1 (Destination Server). With the help of SSH Agent forwarding I can login from host1>bastion>server1 without storing any private key on bastion.
From a network perspective, you ideally want your private servers only accessible via a bastion host or other intermediary host that doesn't contain any of private key.
On Server: You don't need to do anything if you have setup login via private/public key authentication
On Client:
Add your key to your ssh deamon
$ ssh-add "/home/keys/private.pem"
You will receive the below out put
$ ssh-add /home/keys/private.pem
Identity added: /home/keys/private.pem (/home/keys/private.pem)
You may allow Agent forwarding in sshd_config file or can issue in command as well
You can specify -A in ssh command to use agent forwarding
SSH Client configuration
The SSH clients should be configured to allow agent forwarding. The following entry should be added in/etc/ssh/ssh_config file to apply this change for all users in the server, or /home/user/.ssh/config file to apply this change only to specific user.
Host *
ForwardAgent yes
The above enable agent forwarding from all hosts. It is an aggressive setting. You may want to restrict it to specific hosts depending on your use case.
ssh -At bastion.example.com ssh server1.example.com
This will take you to server1.example.com
Perfect instructions, thank you.
ReplyDelete