Re: [PLUG] some bash help

Gavin W. Burris on 28 Oct 2015 10:18:05 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] some bash help

From: "Gavin W. Burris" <bug@wharton.upenn.edu>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] some bash help
Date: Wed, 28 Oct 2015 13:17:58 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=wharton.upenn.edu; s=smtp-relay; t=1446052680; bh=jiAxT2pkQbw4MrrUZT4AJpn3+gThJVrHI6eKcQZky6o=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=hbBcKcOw/crsF03JrHBvIHFOR9RnU5zGe7FK91qhhRksx2XmHRYFyRrxb2swNXOLg 7XW5zfZnvYcugmEkqdPffJSVNmb/NkpyeyWm2GZcqNGVLsnOvOasjEFVYtZG+EGYxb 3Dy0fomLzPhGEv7Ub3GvTydzA5CAdtuw+ld+OV5c=
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mutt/1.5.23 (2014-03-12)

Hrm.  One could enforce key-only auth to the first box, then restrict the allowed commands in the admin users ~/.ssh/authorized_keys file on the first box.  Something like:

command="ssh carl@191.168.1.123:22" ssh-rsa AAAAXXXXX...............

The command string has to be exact though, which I think can be pulled from the logs after one attempt.

Cheers.


On Wed 10/28/15 12:59PM EDT, Paul Jungwirth wrote:
> On 10/28/2015 09:46 AM, Carl Johnson wrote:
> >I have a server that I need to use as a transparent jump box to another
> >network. What I'd like to do is have a "serveradmin" user be able to SSH
> >into "serverA" and automatically be SSH'ed into another server,
> >"serverB". If this second ssh session to serverB is killed (i.e. ctrl+c)
> >or dies for whatever reason I'd like the original ssh session to serverA
> >to collapse too.
> 
> I assume you want serverA to enforce this, so telling the local .ssh/config
> to use a proxy isn't an option?
> 
> What if in serverA's /etc/passwd the login shell for serveradmin *is* the
> ssh command to go to serverB (or some wrapper script). It seems that a ^C
> should then kill the whole thing. I wouldn't be surprised if there were
> still some way to run commands on serverA though.
> 
> Paul
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

-- 
Gavin W. Burris
Senior Project Leader for Research Computing
The Wharton School
University of Pennsylvania
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] some bash help
  - From: "Gavin W. Burris" <bug@wharton.upenn.edu>

References:
- [PLUG] some bash help
  - From: Carl Johnson <cjohnson19791979@gmail.com>
- Re: [PLUG] some bash help
  - From: Paul Jungwirth <pj@illuminatedcomputing.com>

Prev by Date: Re: [PLUG] Question on stable LINUX for Aspire one
Next by Date: Re: [PLUG] some bash help
Previous by thread: Re: [PLUG] some bash help
Next by thread: Re: [PLUG] some bash help
Index(es):
- Date
- Thread