SSH Jump Server (Part 1)

SSH means Secure SHell.  It is a method of connecting to remote systems.  You use a terminal program to connect and login to that remote system.  If you are familiar with Linux you know you have a terminal prompt that you can access through a program like Konsole or gnome-terminal.  In the terminal you issue commands.  You issue commands by typing them at the prompt, just like in the old days of DOS. What makes SSH special is that you can use it to connect to a remote computer and issue commands as if you were physically sitting in front of that computer itself.

Connections consist of using the SSH command with the terminal program open.  With it you connect to the remote system by issuing the SSH command.  You issue the command giving it the address and or other credentials necessary to log in.  Typically you have already configured/registered your RSA keys and/or a password with the remote system.  If you haven’t you won’t get in and  you’ll need to take care of getting that done before you can make a valid remote connection. 

There’s a bit more to it than that.  Those extra bits that you have to do are typically done a single time so it’s not repetitive and thus not tedious.  For instance, to set up to allow the remote computer to receive the connection you would port forward using your router to that machine that you want to expose to the internet.  The default port is 22.  So in your router you’d port forward port 22 to the IP of the machine you want to connect to. After setting up port forwarding then you can attempt a connection.  If successful…

Once connected it will either check for RSA keys and/or a password for the account you are logging into.  If you meet the requirements you are let in on the account that you gave.  An example would be:

ssh fredastaire@192.168.1.242

From this you would be allowed to execute commands (with obvious restrictions).  You’d talk to the machine over SSH and it would appear as if you are there executing those commands as if you were physically in front of that machine and with the permissions of the account you logged into.

Now, I’m not going to go into how to generate keys or how to set up passwords, or how to change the ssh server settings.  I’m just going to describe how you might go about using a computer that can be used to jump through in order to connect to another machine(s) that are not directly exposed (meaning accessible from outside the LAN) to the internet. A jump server will provide you with an extra layer of protection from unwanted logins from criminals and script kiddies that are out there on the internet.

To properly do this you have to set a machine aside, or set up a container in your virtual server, that you would jump through.  I typically use a small computer that costs little and consumes little power.  A Raspberry Pi computer is a perfect example of a low cost low power consumption computer.  It works very well indeed and its only job is to allow an external user to jump in to a different computer on the network without disclosing what computer that is or allowing hackers a chance to figure out how it all works.

For instance, I don’t want my work desktop directly exposed to the internet, however, if I used  a Raspberry Pi as a jump server and the SSH port forwarded to it and I could jump through it to my work desktop then I can do the tasks that I want on it, which also makes it more secure and accessible since you can’t get to it directly and the criminals on the internet know nothing about it and can’t know.

You’d need 1gb of RAM (or less  — which the raspberry pi provides), Ethernet, a flash card (4gb would be more than enough).  Install Debian or raspbian onto it and activate the SSH service.  You can modify that to meet your needs, but minimally you should not allow passwords on the other machines that you are going to jump to after you set up the jump server.  What I means is that the machines remote to through the Raspberry pi should register their public keys with the Raspberry Pi and when you have all of those machines registered then you’d turn off password login.  The Raspberry Pi itself should have no RSA keys of its own because we don’t really want the Raspberry Pi being able to directly connect to any computer on the network.  Nor should the Raspberry Pi permit password logins.

The way the jump server works is (for example): 

workstation at home registers their public key with the Raspberry Pi

Second workstation at home, or any device capable of creating RSA keys and connecting via SSH would do the same.

Once the public RSA keys are registered there’s no need to log directly into the jump server itself.  Instead you will use the proxy feature of SSH to jump through it to another machine.  That machine will also require RSA keys and deny logins using passwords.

You can issue the command to jump through the SSH jump server on your terminal’s command line or you can create a config file in your home’s .ssh folder.  In there you will specify the jump server IP, the user name, and port. You give it a host name and when you want to jump to it you’ll jump directly into the raspberry pi jump server.  If you want to jump through it to another computer you will also have a section for the machine you want to jump to along with the proxy command to tell it to use the Raspberry Pi as the jump server host.

In that ~/.ssh/config file you’d create a section for each machine you want access to.

To Be Continued …