SSH Jump Server

0
54

In recent times, there is an increasing need for organizations to give employees access to their IT facilities due to the ongoing Covid restrictions ( such as work from home )  in place and in other cases grant access to external parties like clients, vendors who want to troubleshoot and fix issues with the IT Infrastructure remotely.

More so, is the need for multiple manage SSH access to the company’s Linux servers, Routers, Switches, while meeting regulatory and security compliance. This need led to the emergence of the SSH Bastion host concept.

What is an SSH Jump Server?

An SSH Jump Server is simply a single, hardened server that you “jump” through in order to access other servers or devices on the inner network sometimes called a SSH Jump host , or SSH Bastion host or  ssh gateway or a relay host, it’s simply a server that all of your users can log into and use as a relay server to connect to other Linux servers, Routers, Switches and more. Therefore, a Jump server is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones.

In other words, it is an intermediary host or an SSH Jump server to a remote network, through which a connection can be made to another host in a dissimilar security zone, for example a demilitarized zone (DMZ2). In short it is intended to breach the gap between two security zones. This is done with the purpose of establishing a gateway to access something inside of the security zone, from the DMZ

The SSH Jump server bridges two dissimilar security zones and offers controlled and monitored access between them.

For users accessing your secure network over the internet, the Jump server provides a highly secured and monitored environment especially when it spans a private network and a DMZ with servers providing services to users on the internet.

Furthermore, a classic scenario is connecting from your desktop or laptop from inside your company’s internal network, which is highly secured with firewalls to a DMZ. In order to easily manage a server in a DMZ, you may access it via a bastion host.

Therefore, a bastion host is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones. An example would be a high security zone inside a corporation. The policy guide states that this zone cannot be accessed directly from a normal user zone. Hence, in a DMZ off the firewall protecting this zone you have a jump host.

Connections are permitted to the ssh bastion host from the user zone, and access to the secure zone are permitted from the bastion host.

More often, there is a separate authentication method for the bastion host fortified with multi factor authentication, Single Sign On ( SSO ) , Radius  & more.

How does ssh with jump server work?  

It is a secure intermediary server where all your system administrators would login in first via SSH before getting to access the remote devices such as Linux instance, Routers, Switches etc. The purpose of having the SSH bastion host  is to improve security and consolidate SSH user activities to a single point hence better security and accountability. SSH bastion host is also known by the name SSH Jump BoxSSH Jump Host & SSH Gateway.

How to Setup SSH Jump Server?

  • Bastion using OpenSSH – A basic ssh jump server with limited features and functionalities can be configured using OpenSSH packages that are available by default on most Linux distributions.

How do I connect to SSH Jump Server?

In the example below, we will just use the basic ssh command line to proxy an ssh connection to the remote server via an intermediate jump server.

ssh -J jumpserver remote_machine

If the -J option is not available use the -W option to pivot the connection through an intermediate jumpserver.

ssh -o ProxyCommand="ssh -W %h:%p bastion.gateway.org"  remote.server.org

You can also use SSH client configuration file, instead of passing arguments via SSH.

Edit the ~/.ssh/config file :

Host <nickname>
HostName <hostname_of_remote_server>
User <user_on_remote_server>
ProxyCommand ssh <user_on_remote_server>@<jumpserver> nc %h %p
  • <nickname> : Sets nickname for the target/remote server
  • <hostname_of_remote_sever> : Sets the real remote server/host name
  • <user_on_remote_server> : Real user who exists on target server
  • <bastion_host>: IP or the hostname` of the proxy server
  • %h will be the host name to connect
  • %p will be the port

Now you can SSH to the target/remote machine:

ssh -v <target/remote_server>

With the OpenSSH 7.3,  the easiest way to pass through hop through intermediate one or more jump hosts is using the ProxyJump directive ssh_config

Host remote server
    HostName 192.168.0.177
    ProxyJump admin@jump-server.org:22
    User devops
Multiple bastion hosts can be chained as well
Host remote server
    HostName 192.168.0.177
    ProxyJump admin@jump-server.org:22, admin@jump-server2.org:22
    User devops

Do refer to the article SSH Proxy and SSH Bastion Host  for configuring  a basic bastion host server that is very limited in feature and functionality when compared to the modern day ssh  jump host solutions.

Jump Server using Ezeelogin

Ezeelogin is a much more powerful and advanced SSH Jumpserver software solution  and  can be deployed quickly on a Linux server.  It has powerful features that  makes managing hundreds of Linux devices and granting ssh access to these device a piece of cake.  Do refer to the article to  setup and configure a ssh bastion host quickly on your premise or on cloud.

ssh jumpserver

Why do you need an SSH Jumpserver solution to manage SSH access?

The OpenSSH based jump server is clearly not enough to meet the modern day requirements  of an IT enterprise. The challenges for  the enterprise are constantly changing and dynamic . On day , it could be from maintaining security, granting ssh access to the users to designated server and that too for particular time and on another day it could be the security compliances that needs to be met at the time of a Linux servers infrastructure audit.

The modern day  SSH  bastion host solutions are designed to address the challenges faced by an IT enterprise when it comes to  security and to meet various security compliances like PCI DSS, NIST, ISO 27001 and more.

The modern day ssh bastion host  software such as Ezeelogin has the  following features  and more.

  • Identity and Access management (IAM)
  • Privileged Access management (PAM),
  • Role Based Access Control to delegate access to Linux servers and Network devices.
  • Two factor authentication methods  like Google Authenticator, DUO Security 2FA, & Yubikey in SSH.
  • Integrates with Windows Active Directory, OpenLDAP, Redhat IDM.
  • Supports SAML for  Single Sign On.
  • Support RADIUS Authentication to access network devices such as Routers and Switches
  • Password Manager
  • SSH key rotation,
  • Automated root password management

Importance of SSH Jumpserver?

1. Improved Security
2. Centralized Access
3. Streamlined Access Management
4. Compliance with Security Standards

How do I secure my SSH Jumpserver?

To ensure maximum protection of your jumpserver, you should focus on the process of server security hardening. In simple terms, that means applying a combination of basic and advanced security measures to address vulnerabilities in your bastion host server and operating system to boost overall server security.

Jump server comparison: OpenSSH Vs. Ezeelogin 

Ezeelogin is a custom-developed software for converting Linux servers to jump servers without any security or performance worries.

Ezeelogin is a subscription-based plan suitable for all major business segments such as Web hosting, Finance, Insurance, Healthcare, defense, cloud, and many more.

OpenSSH Jump Server Ezeelogin
Only password or cert-based authentication Supports 2FA – Google Authenticator, Yubikey, and Duo
Stores SSH Keys in plain text format The encrypted keys are stored in databases
Uses default shells. No customization is possible. Uses custom shell – ezsh
Can’t restrict command execution Command-Line Guard restricts the user from executing dangerous commands.
Login works only for command line Bowser extension and SAML support enable autologin to web interfaces.
Needs professional Linux administration skills Only a few mouse clicks are required. No server admin expertise is essential.
Command execution on multiple servers requires separate ssh logins. Parallel shell enables simultaneous execution of commands across multiple servers.
User activity session recording is possible only through agent software. No agent software is required for ssh session logging.
Password Rest, Rotation, and login sharing are quite clumsy processes. Password management is automated.
Single point of failure – you can’t access your servers if the jump server is down. Master-slave architecture with jump server switching options.
Achieving security compliance is hard. Can easily fulfill security compliance requirements
Permits access only for system users. Login for LDAP and Active Directory users is possible.

Open ssh jump server is possible only if you are a competent Linux administrator. Vulnerability management, software updates, resolving compatibility issues, and security audits are some of the essential and unavoidable server management activities.

Sadly, admins often fail to upkeep the servers properly and leave them in chaotic situations. A jump server with poor security practices is a ticking bomb for your organization’s growth and reputation.

CONCLUSION

IT Enterprises that use a SSH JumpServer solution in improving security of their critical IT asset and in meeting various mandatory security compliances  (which would otherwise prove very costly in case of a breach),  are more likely to succeed due to the improved operational efficiency, digital security, hence more successful business for the company’s end customers.