Restricted reverse SSH tunnel with JumpHost

Here’s the situation: your colleague is working on laptop C. They need to get into server A. Server A is behind a firewall, and can create outbound connections, but inbound connections are not allowed. You have access to an internet server B, but you don't want to allow full shell access on there to your colleague.

The solution is to create two restricted users on server B, let’s call them alex and casey. Server A will then SSH out to server B as user alex, and open a port listening on server B that forwards back to SSH on server A. Your colleague will then SSH from laptop C as user casey, using server B as a jumphost back to itself, and from there on to server A.

Confused? It’s not quite as complicated as it sounds. Here are the practical steps you need to take.

On server B

Create two users:

adduser alex --shell=/bin/true --disabled-password
adduser casey --shell=/bin/rbash --disabled-password

(Note: with --disabled-password, you will need to set up SSH keys for the two users. This is a simple process but is outside the scope of this article. Its advantages are that it’s more secure than a password, and also more convenient to users as it doesn’t require typing two passwords on every connection attempt. Alternatively just leave this option out and you can use passwords for authentication.)

Add the following section at the end of /etc/ssh/sshd_config:

Match User alex
    AllowAgentForwarding no
    AllowTcpForwarding yes
    X11Forwarding no
    PermitTunnel yes
    GatewayPorts no
    ForceCommand /bin/true

Match User casey
    AllowAgentForwarding no
    AllowTcpForwarding yes
    X11Forwarding no
    PermitOpen 127.0.0.1:12345 [::1]:12345
    PermitTunnel yes
    GatewayPorts no
    ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'

Restart sshd:

systemctl restart sshd.service

On server A

ssh -R 12345:localhost:22 -N alex@serverB

(Note: you probably want to run this command inside screen or something similar, so that it will keep running without needing to leave the terminal open.)

On laptop C

ssh -p 12345 user@127.0.0.1 -J casey@serverB

(Here user is the user account on server A that your colleague needs to access. It is unrelated to alex and casey, which are accounts on server B only)

Done! You colleague should now have an SSH connection open on server A. The restrictions on the user accounts mean that your colleague can’t do anything on server B, and anyone connecting out from server A can’t do anything on server B either.

References

https://gist.github.com/smoser/3e9430c51e23e0c0d16c359a2ca668ae
https://serverfault.com/questions/891142/how-to-specify-multiple-destinations-in-openssh-servers-permitopen-directive
https://unix.stackexchange.com/questions/14312/how-to-restrict-an-ssh-user-to-only-allow-ssh-tunneling

Add new comment