3a5a9fbe03
Change-Id: I1438d8c954f76f15afae33c92473b846d40ebe3d Signed-off-by: Pino de Candia <giuseppe.decandia@gmail.com>
30 lines
1.1 KiB
ReStructuredText
30 lines
1.1 KiB
ReStructuredText
================
|
|
Jump Proxy Notes
|
|
================
|
|
|
|
**NOTE: This feature is NOT YET IMPLEMENTED.**
|
|
|
|
Assuming the SSH client's known_hosts file has been configured with two
|
|
@cert-authority lines (one containing the Bastion CA public key, the other
|
|
containing the Project Host CA public key), a user can SSH to her instance as
|
|
follows:
|
|
|
|
| ssh -o ProxyCommand="ssh -W %h:%p <bastion IP or DNS name" <account-name>@<instance IP or hostname>
|
|
|
|
For example:
|
|
|
|
| ssh -o ProxyCommand="ssh -W %h:%p 10.99.157.129" ubuntu@10.0.0.13
|
|
|
|
Or (for OpenSSH 7.3 and later):
|
|
|
|
| ssh -o ProxyJump="10.99.157.129" ubuntu@10.0.0.13
|
|
|
|
Note that one of the user SSH certificate's principals must be mapped to an
|
|
account on the bastion (or the bastion will reject the SSH connection). Tatu
|
|
should configure the bastion (e.g. on Ubuntu 16.04) AuthorizedPrincipalFile
|
|
with a single file named 'nobody' which contains the names of all principals.
|
|
This allows the SSH client to use the bastion as a jump host but not to login
|
|
there; this secures the bastion itself. The ssh command is therefore:
|
|
|
|
| ssh -o ProxyJump="nobody@10.99.157.129" ubuntu@10.0.0.13
|