x/tatu

Pino de Candia 3a5a9fbe03 Devstack fixes; configurable API address for VMs; documentation refresh.

Change-Id: I1438d8c954f76f15afae33c92473b846d40ebe3d
Signed-off-by: Pino de Candia <giuseppe.decandia@gmail.com>

2018-03-09 16:52:36 +00:00

1.1 KiB

Raw Blame History

Jump Proxy Notes

NOTE: This feature is NOT YET IMPLEMENTED.

Assuming the SSH client's known_hosts file has been configured with two @cert-authority lines (one containing the Bastion CA public key, the other containing the Project Host CA public key), a user can SSH to her instance as follows:

ssh -o ProxyCommand="ssh -W %h:%p <bastion IP or DNS name" <account-name>@<instance IP or hostname>

For example:

ssh -o ProxyCommand="ssh -W %h:%p 10.99.157.129" ubuntu@10.0.0.13

Or (for OpenSSH 7.3 and later):

ssh -o ProxyJump="10.99.157.129" ubuntu@10.0.0.13

Note that one of the user SSH certificate's principals must be mapped to an account on the bastion (or the bastion will reject the SSH connection). Tatu should configure the bastion (e.g. on Ubuntu 16.04) AuthorizedPrincipalFile with a single file named 'nobody' which contains the names of all principals. This allows the SSH client to use the bastion as a jump host but not to login there; this secures the bastion itself. The ssh command is therefore:

ssh -o ProxyJump="nobody@10.99.157.129" ubuntu@10.0.0.13

1.1 KiB Raw Blame History

Jump Proxy Notes

1.1 KiB

Raw Blame History