In order to give someone access to hosts that are available only by ssh "bouncing" (ProxyJump
),
add a user for this specific purpose.
We have an internal openstack where instances get IPs on per-tenant networks. Each tenant has a 'bastion' host that has a "public" ip (floating ip). You can access other instances by bouncing through the bastion. From time to time I want to let someone else into an instance. This could be done either with:
a.) just give them shell access to the bastion and let them hop through. Sharing an unrestricted shell account on my bastion is less than ideal. b.) assign a floating/"public" IP to the instance so they could go directly in. Floating IPs are limited, so this is less than ideal.
So instead, I have set up a single user as described here that can only be used for ProxyJump. It allows others proxied access to my instances but without granting them full shell access.
Heres how you can set this up.
-
Pick a name
JUMP_USER="sshjump"
-
configure sshd
We match by
Match User
here, but could also useMatch Group
. Add the following to your/etc/ssh/sshd_config
, and make sure to adjustsshjump
to yourJUMP_USER
Match User sshjump AllowAgentForwarding no AllowTcpForwarding yes X11Forwarding no PermitTunnel no GatewayPorts no ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'
Then, restart sshd:
sudo systemctl restart ssh
-
Add the user
The shell can actually be
/bin/true
, but then you will not get theForceCommand
directive to do anything, which can be useful for a user connecting.sudo useradd "$JUMP_USER" "--home-dir=/home/$JUMP_USER" --create-home --shell=/bin/rbash # if you want to, set a password. sudo passwd "$JUMP_USER"
-
Add some ssh keys
sudo -Hu "$JUMP_USER" ssh-import-id smoser
-
Try it out
assuming you want to give access to
[email protected]
and your host isjumphost
ssh -J sshjump@jumphost [email protected]
The following urls had information to help put this together:
Thank you for the gist. :-)
If you also want to restrict the targets the user is allowed to reach you can use
PermitOpen
(seeman sshd_config
).Though I have not yet tried to specify a subnets like
PermitOpen [2001:db8:cafe:beef::/112]:22 192.0.2.0/24:22
.@pierreboudes I tried specifying a binary like
/bin/hostname
or/bin/bash
/bash
as a command argument forssh
but it only executes theForceCommand
and then disconnects:If you want to make sure you can just set
--shell=/bin/true
for thesshjump
user as the gist suggests and leave outForceCommand echo ...
from the/etc/ssh/sshd_config
. :-)