Mailing List Archive

Your could do this with the following:
* ssh to bastion using your keys, and include a port forward from localhost to target
* ssh to forwarded port on localhost using target key.

Note that if this is for automation of tasks, you may need to keep the first connection going while starting the second. Once the second connection is going, the first one will not close fully until the tunnel is no longer in use.

Thanks,
Jok

Nicolas,

If i understand your request, fully...

I'll give you some info for OpenSSH (which you could use via Cygwin
on your windows client), but i don't know if PuTTY has similar
capability. (clearly, you've discovered plink.exe can do similar
things) (while this info may not apply directly to your problem, i
figure it'll be of general interest)

----------------
Host bastion
IdentityFile ~/.ssh/bastionkey
User bastionuser

Host target
IdentityFile ~/.ssh/targetkey
User targetuser
ProxyCommand ssh bastion nc target 22
----------------

If you have both keys on the client, a

ssh target

will "do the right thing(tm)" here by finding the target directive,
indirectly resolving to a bastion connection using the bastion key,
then piggy-backing on the established bastion connection's netcat
link to the target and applying the target key.

OpenSSH 5.5 or so has a builtin 'netcat' like facility using
'-W target:port', i haven't started using that yet, as my normal
systems (Debian Lenny) don't have that version.


Here's some hackery i have in my ~/.ssh/config file:

-----------------------
# Multi-(user+host) arbitrary gateway hopping
# usera%hosta!userb%hostb[!userc%hostc...]
# STILL requires using '-l userd' for destination user on command line (i.e. we ignore last
# user in specification
# e.g. ssh -l root sdowdy@zia!root@umds0-vgw
Host *!*
GatewayPorts no
ProxyCommand $(h="%h";p="%p";ruh=${h##*\!};rh=${ruh##*\%%};ru=${ruh%%\%%*};ru=${ru:-${USER}};luh=${h%%\!*};lh=${luh##*\%%};lu=${luh%%\%%*};lu=${lu:-${USER}};echo ssh -l ${lu} ${lh} "\`type -p netcat nc | head -1\` ${rh} 22")
# h=host, p=port (expanded by openssh cmdline
# ruh,rh,ru=remote user+host, remote host, remote user (successively pulled off right-hand-side)
# luh,lh,lu=local user+host, local host, local user (pulled off left-hand-side)
#
-----------------------
This directive allows you, if you use a Bourne-Shell/posix-shell to
hop via an arbitrary number of [user@]host[!...] connections via
iterative deconstruction of the target specified within openssh.
If you have any required keys in your client ssh-agent, they'll be
appropriately applied down the chain. (be careful of shell
meta-character expansion of '!' -- I chose that after initially
having chosen '::' as the gateway delimiterd (DECnet style
poor-mans routing), and finding that while it worked for 'ssh',
it DOESN'T work for scp. '!' works for both ssh and scp.
You can use some other separator like "_", which isn't valid
DNS.

the \`type -p netcat nc | head -1\` is simply used to work on SLES
and *ever other* linux distro, since SLES uses 'netcat' (nc on SLES
is something else). That whole thing can be replaced with simply
'nc' if you don't need to deal with SLES. (and that's the primary
requirement for a Bourne-alike shell.


If i'm using the "bastion" (gateway) host frequently for multiple
connections (i have a number of systems that have a backend RFC1918
network of compute nodes or data servers), i may use ControlMasters
like:

Host gw1-* gw2-*
User blah
NumberOfPasswordPrompts 1
ConnectTimeout 60
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p.sock

That way, i only authenticate once on the gateway host and use that
ControlMaster connection as the piggyback for subsequent connections
to that gateway and any hosts residing behind it. This is mainly
useful on systems where i'm required to enter a password, instead
of using authorized-key trust.

--stephen

--
Stephen Dowdy - Systems Administrator - NCAR/RAL
303.497.2869 - sdowdy@ucar.edu - http://www.ral.ucar.edu/~sdowdy/

Joachim,

Thanks for sharing.
That works but don't rocks; not the way I want :

1 - I need a fully autonomous procedure to connect to any target.
In your solution, I have to start each time a special connection which
I can't automate correctly within Putty localproxy command (teletype
screen issues) or within a pre-connection local command.

2 - The most important : the client Haven't Any Key to Target. It's the
bastion/gateway/jumper who Have keys.
In your solution, I don't know How to tell target to verify bastion's
key...

And of course I don't want an ssh in ssh like : ssh bastion ssh target
... even if that's doing what I want elsewhere the Microsoft land.

Here is a schematic view of my needs :

Windows Linux Linux
| | |
Putty OpenSSH_5.6p1 Openssh any version
| | |
Client ----------> Bastion ----------> Target
\_________________/ \________________/
Client's Key bastion's key
(Pagent) (ssh-agent)

Fyi : I've setted the environment file to get my ssh-agent acting in the
2nd connection (from B to T).

Thanks
Nicolas

-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Joachim Thuau <Joachim.Thuau@heavy-iron.com>
Pour : secureshell@securityfocus.com <secureshell@securityfocus.com>
Date : 23/09/2010 18:26

> Your could do this with the following:
> * ssh to bastion using your keys, and include a port forward from localhost to target
> * ssh to forwarded port on localhost using target key.
>
> Note that if this is for automation of tasks, you may need to keep the first connection going while starting the second.

Once the second connection is going, the first one will not close fully
until the tunnel is no longer in use.
>
> Thanks,
> Jok
>


Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

Stephen,

The problem is that my target key is on the gateway bastion host !
The client don't have it. Moreover, the bastion's keys are protected by
passphrases and served by ssh-agent. So can't do any agentforwarding at
all..

Otherwise, I've never succeeded in having key exchange between bastion
and target while netcating in a proxycommand. It's ending systematically
with an interactive password prompt (not passphrase).

Of course the "ssh -t bastion ssh -t target" works well but I don't want
to do it like that because I use a putty client which won't behave
ergonomically if used that way.
The same idea applies to your - however excellent - hackery you made
with exclamation ! (I'm on Putty... Sorry for that).

Once again this is a schematic view of what I want :

Windows Linux Linux
| | |
Putty OpenSSH_5.6p1 Openssh any version
| | |
Client ----------> Bastion ----------> Target
\_________________/ \________________/
Client's Key bastion's key
(Pagent) (ssh-agent)

Summarizing my needs taking a similarity view like agentforwarding :
I'd like to have an ssh-agent hopping.



-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Stephen Dowdy <sdowdy@ucar.edu>
Pour : Nicolas Ferragu <nicolas.ferragu@laposte.fr>
Copie à : secureshell@securityfocus.com
Date : 23/09/2010 19:26

> Nicolas,
>
> If i understand your request, fully...
>
> I'll give you some info for OpenSSH (which you could use via Cygwin
> on your windows client), but i don't know if PuTTY has similar
> capability. (clearly, you've discovered plink.exe can do similar
> things) (while this info may not apply directly to your problem, i
> figure it'll be of general interest)
>
> ----------------
> Host bastion
> IdentityFile ~/.ssh/bastionkey
> User bastionuser
>
> Host target
> IdentityFile ~/.ssh/targetkey
> User targetuser
> ProxyCommand ssh bastion nc target 22
> ----------------
>
> If you have both keys on the client, a
>
> ssh target
>
> will "do the right thing(tm)" here by finding the target directive,
> indirectly resolving to a bastion connection using the bastion key,
> then piggy-backing on the established bastion connection's netcat
> link to the target and applying the target key.
>
> OpenSSH 5.5 or so has a builtin 'netcat' like facility using
> '-W target:port', i haven't started using that yet, as my normal
> systems (Debian Lenny) don't have that version.
>
>
> Here's some hackery i have in my ~/.ssh/config file:
>
> -----------------------
> # Multi-(user+host) arbitrary gateway hopping
> # usera%hosta!userb%hostb[!userc%hostc...]
> # STILL requires using '-l userd' for destination user on command line (i.e. we ignore last
> # user in specification
> # e.g. ssh -l root sdowdy@zia!root@umds0-vgw
> Host *!*
> GatewayPorts no
> ProxyCommand $(h="%h";p="%p";ruh=${h##*\!};rh=${ruh##*\%%};ru=${ruh%%\%%*};ru=${ru:-${USER}};luh=${h%%\!*};lh=${luh##*\%%};lu=${luh%%\%%*};lu=${lu:-${USER}};echo ssh -l ${lu} ${lh} "\`type -p netcat nc | head -1\` ${rh} 22")
> # h=host, p=port (expanded by openssh cmdline
> # ruh,rh,ru=remote user+host, remote host, remote user (successively pulled off right-hand-side)
> # luh,lh,lu=local user+host, local host, local user (pulled off left-hand-side)
> #
> -----------------------
> This directive allows you, if you use a Bourne-Shell/posix-shell to
> hop via an arbitrary number of [user@]host[!...] connections via
> iterative deconstruction of the target specified within openssh.
> If you have any required keys in your client ssh-agent, they'll be
> appropriately applied down the chain. (be careful of shell
> meta-character expansion of '!' -- I chose that after initially
> having chosen '::' as the gateway delimiterd (DECnet style
> poor-mans routing), and finding that while it worked for 'ssh',
> it DOESN'T work for scp. '!' works for both ssh and scp.
> You can use some other separator like "_", which isn't valid
> DNS.
>
> the \`type -p netcat nc | head -1\` is simply used to work on SLES
> and *ever other* linux distro, since SLES uses 'netcat' (nc on SLES
> is something else). That whole thing can be replaced with simply
> 'nc' if you don't need to deal with SLES. (and that's the primary
> requirement for a Bourne-alike shell.
>
>
> If i'm using the "bastion" (gateway) host frequently for multiple
> connections (i have a number of systems that have a backend RFC1918
> network of compute nodes or data servers), i may use ControlMasters
> like:
>
> Host gw1-* gw2-*
> User blah
> NumberOfPasswordPrompts 1
> ConnectTimeout 60
> ControlMaster auto
> ControlPath ~/.ssh/%r@%h:%p.sock
>
> That way, i only authenticate once on the gateway host and use that
> ControlMaster connection as the piggyback for subsequent connections
> to that gateway and any hosts residing behind it. This is mainly
> useful on systems where i'm required to enter a password, instead
> of using authorized-key trust.
>
> --stephen
>

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu@laposte.fr> wrote:
>    Putty conf :
>       connection type : raw
>       local proxy command : plink.exe -t %user@%proxyhost -agent "ssh
> -p %port -l role %host"\n

I assume "ssh -p %port -l role %host" here is a command executed on
the bastion to connect to the target. Currently it does not work as
the target asks for the key known only for the bastion.

You mentioned that "ssh-agent running well with the target.". If that
means that bastion has ssh-agent running with a key for the target
then in the above command you just need to tell the ssh where to look
for ssh agent socket. You can do that with env command that sets
SSH_AUTH_SOCK like in:

plink.exe -t %user@%proxyhost -agent "env
SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host"

The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For
maximum convenience you may run the ssh-agent on bastion with -d
option to specify the exact location of the socket like in:

ssh-agent -b "$HOME/.ssh/agent-socket"

and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket


On the other hand the setup like that implies that one can always
connect to the target if he has the key to bastion. Moreover, anybody
who can login to bastion under your user name can also recover the
private key for the target via inspecting ssh-agent memory. So the
setup above is less secure if you would simply have the key to the
target on your local box properly password-protected and loaded into
putty agent.

Regards, Igor

Richard,

Yes of course I could use remote command field but as I said before I
don't want to do a command like "ssh bastion ssh target" since I'd like
to use Putty as if I where connecting directly my target - ie I'd like
to use the bastion in a proxy way. In another words, I don't want
anything but telling Putty to connect to my target in the main field
Hostname.

Moreover, I don't want to deal with password's accounts since key
exchanges are mandatory in the project.

I think I gonna modify putty's code to make a direct remote command
proxy protocol.

Thanks for sharing,
NF

-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Wilson, Richard <richard.wilson3@hp.com>
Pour : Nicolas Ferragu <nicolas.ferragu@laposte.fr>, Stephen Dowdy
<sdowdy@ucar.edu>
Copie à : "secureshell@securityfocus.com" <secureshell@securityfocus.com>
Date : 24/09/2010 21:55

> Nicholas,
>
> You might try using the PuTTY "Remote Command" field in the SSH panel to start a script on the Bastion

host that would check and see if an agent was running, and start one if
not.

I would recommend expect as the scripting language for this -- it
emulates an interactive session and

SSH is designed to not accept passphrases and passwords as parms.

You could pass the passphrase as a parm from the Windows host if your
security allows it and

avoid storing the passphrase on the bastion host.
>
> HTH,
>
> Richard Wilson
> Rich dot Wilson at hp dot com
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Nicolas Ferragu
> Sent: Friday, September 24, 2010 3:01 AM
> To: Stephen Dowdy
> Cc: secureshell@securityfocus.com
> Subject: Re: Multi Hopping by sshserver proxy with different keys
>
> Stephen,
>
> The problem is that my target key is on the gateway bastion host !
> The client don't have it. Moreover, the bastion's keys are protected by passphrases and served by ssh-agent. So can't do any agentforwarding at all..
>
> Otherwise, I've never succeeded in having key exchange between bastion and target while netcating in a proxycommand. It's ending systematically with an interactive password prompt (not passphrase).
>
> Of course the "ssh -t bastion ssh -t target" works well but I don't want to do it like that because I use a putty client which won't behave ergonomically if used that way.
> The same idea applies to your - however excellent - hackery you made with exclamation ! (I'm on Putty... Sorry for that).
>
> Once again this is a schematic view of what I want :
>
> Windows Linux Linux
> | | |
> Putty OpenSSH_5.6p1 Openssh any version
> | | |
> Client ----------> Bastion ----------> Target
> \_________________/ \________________/
> Client's Key bastion's key
> (Pagent) (ssh-agent)
>
> Summarizing my needs taking a similarity view like agentforwarding :
> I'd like to have an ssh-agent hopping.
>
>
>
> -------- Message original --------
> Sujet: Re: Multi Hopping by sshserver proxy with different keys De : Stephen Dowdy <sdowdy@ucar.edu> Pour : Nicolas Ferragu <nicolas.ferragu@laposte.fr> Copie à : secureshell@securityfocus.com Date : 23/09/2010 19:26
>
>> Nicolas,
>>
>> If i understand your request, fully...
>>
>> I'll give you some info for OpenSSH (which you could use via Cygwin on
>> your windows client), but i don't know if PuTTY has similar
>> capability. (clearly, you've discovered plink.exe can do similar
>> things) (while this info may not apply directly to your problem, i
>> figure it'll be of general interest)
>>
>> ----------------
>> Host bastion
>> IdentityFile ~/.ssh/bastionkey
>> User bastionuser
>>
>> Host target
>> IdentityFile ~/.ssh/targetkey
>> User targetuser
>> ProxyCommand ssh bastion nc target 22
>> ----------------
>>
>> If you have both keys on the client, a
>>
>> ssh target
>>
>> will "do the right thing(tm)" here by finding the target directive,
>> indirectly resolving to a bastion connection using the bastion key,
>> then piggy-backing on the established bastion connection's netcat link
>> to the target and applying the target key.
>>
>> OpenSSH 5.5 or so has a builtin 'netcat' like facility using '-W
>> target:port', i haven't started using that yet, as my normal systems
>> (Debian Lenny) don't have that version.
>>
>>
>> Here's some hackery i have in my ~/.ssh/config file:
>>
>> -----------------------
>> # Multi-(user+host) arbitrary gateway hopping
>> # usera%hosta!userb%hostb[!userc%hostc...]
>> # STILL requires using '-l userd' for destination user on command line
>> (i.e. we ignore last # user in specification # e.g. ssh -l root
>> sdowdy@zia!root@umds0-vgw
>> Host *!*
>> GatewayPorts no
>> ProxyCommand
>> $(h="%h";p="%p";ruh=${h##*\!};rh=${ruh##*\%%};ru=${ruh%%\%%*};ru=${ru:
>> -${USER}};luh=${h%%\!*};lh=${luh##*\%%};lu=${luh%%\%%*};lu=${lu:-${USE
>> R}};echo ssh -l ${lu} ${lh} "\`type -p netcat nc | head -1\` ${rh}
>> 22") # h=host, p=port (expanded by openssh cmdline # ruh,rh,ru=remote
>> user+host, remote host, remote user (successively pulled off
>> right-hand-side) # luh,lh,lu=local user+host, local host, local user
>> (pulled off left-hand-side) #
>> -----------------------
>> This directive allows you, if you use a Bourne-Shell/posix-shell to
>> hop via an arbitrary number of [user@]host[!...] connections via
>> iterative deconstruction of the target specified within openssh.
>> If you have any required keys in your client ssh-agent, they'll be
>> appropriately applied down the chain. (be careful of shell
>> meta-character expansion of '!' -- I chose that after initially having
>> chosen '::' as the gateway delimiterd (DECnet style poor-mans
>> routing), and finding that while it worked for 'ssh', it DOESN'T work
>> for scp. '!' works for both ssh and scp.
>> You can use some other separator like "_", which isn't valid DNS.
>>
>> the \`type -p netcat nc | head -1\` is simply used to work on SLES and
>> *ever other* linux distro, since SLES uses 'netcat' (nc on SLES is
>> something else). That whole thing can be replaced with simply 'nc' if
>> you don't need to deal with SLES. (and that's the primary requirement
>> for a Bourne-alike shell.
>>
>>
>> If i'm using the "bastion" (gateway) host frequently for multiple
>> connections (i have a number of systems that have a backend RFC1918
>> network of compute nodes or data servers), i may use ControlMasters
>> like:
>>
>> Host gw1-* gw2-*
>> User blah
>> NumberOfPasswordPrompts 1
>> ConnectTimeout 60
>> ControlMaster auto
>> ControlPath ~/.ssh/%r@%h:%p.sock
>>
>> That way, i only authenticate once on the gateway host and use that
>> ControlMaster connection as the piggyback for subsequent connections
>> to that gateway and any hosts residing behind it. This is mainly
>> useful on systems where i'm required to enter a password, instead of
>> using authorized-key trust.
>>
>> --stephen
>>
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
>
>


Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

Igor,

My ssh-agent works well and I haven't any problem with it : I'm using
keychain (persistent ssh-agent across connections; from debian
packages), filling the .ssh/environment file to get env setted correctly
for that.

Anyway, the trick doesn't work correctly since the terminal mode is raw
: I can succeed in logging the way I want but can't do any vi or any tab
command completion...

Concerning the security level you've evaluated, I do agree with the fact
that one's could read bastion's memory to get access to targets' keys.
But :
1 - I made those targets keys usable only from the bastion. If the keys
where on the local box, this kind of filtering couldn't be done as far
as my users should be able to connect from everywhere - modulus ip
spoofing of course.

2 - With all my targets keys on the bastion, I can administrate them in
a central way - which can't be done in the
distributed-to-the-local-boxes way. In particular, it's far more easy to
give a temporary access to anyone to any target in the bastion's holding
way.

3 - Saying the keys can be read from the bastion's memory isn't worse
than distributing them across local boxes which are secureless than the
bastion - since they are some local boxes shared by multiple people...
Furthermore, the keys can regularly be changed to clean those kind of
weakness.

Thanks for sharing,
NF


-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Igor Bukanov <igor@mir2.org>
Pour : Nicolas Ferragu <nicolas.ferragu@laposte.fr>
Copie à : secureshell@securityfocus.com
Date : 25/09/2010 12:34

> On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu@laposte.fr> wrote:
>> Putty conf :
>> connection type : raw
>> local proxy command : plink.exe -t %user@%proxyhost -agent "ssh
>> -p %port -l role %host"\n
>
> I assume "ssh -p %port -l role %host" here is a command executed on
> the bastion to connect to the target. Currently it does not work as
> the target asks for the key known only for the bastion.
>
> You mentioned that "ssh-agent running well with the target.". If that
> means that bastion has ssh-agent running with a key for the target
> then in the above command you just need to tell the ssh where to look
> for ssh agent socket. You can do that with env command that sets
> SSH_AUTH_SOCK like in:
>
> plink.exe -t %user@%proxyhost -agent "env
> SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host"
>
> The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For
> maximum convenience you may run the ssh-agent on bastion with -d
> option to specify the exact location of the socket like in:
>
> ssh-agent -b "$HOME/.ssh/agent-socket"
>
> and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket
>
>
> On the other hand the setup like that implies that one can always
> connect to the target if he has the key to bastion. Moreover, anybody
> who can login to bastion under your user name can also recover the
> private key for the target via inspecting ssh-agent memory. So the
> setup above is less secure if you would simply have the key to the
> target on your local box properly password-protected and loaded into
> putty agent.
>
> Regards, Igor
>


Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

Hi all,

Once again, this is my problem : logging to target by key exchanges
through an ssh gateway (bastion) with different identities. The target's
identity is kept on the bastion not the local box.

Windows Linux Linux
| | |
Putty OpenSSH_5.6p1 Openssh any version
| | |
Client ----------> Bastion ----------> Target
\_________________/ \________________/
Client's Key bastion's key
(Pagent) (ssh-agent)

I can do proxycommand but can't get key exchange to work because the
proxycommand is based on a netcat raw connection - which can't do key
exchange as far I know !

Here is my putty proxycommands I tried without success since it's a
final password prompt instead of the kex bastion/target :
plink.exe -a %user@%proxyhost "ssh -a -t -W %host:%port localhost"\n
or
plink.exe -t -a %user@%proxyhost -nc <target_ip_address>:22 \n
(/!\ note the putty's "-nc" included command doesn't resolve names to ip
...)


I've also tried successfully for the authentication ut unsuccessfully
for the usability (raw terminal mode without vi, or control characters) :
plink.exe -t %user@%proxyhost -agent "ssh -p %port -l %user %host"\n


Thanks for your interest,
NF


Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

you could use socat to forward ssh connections from one host to another
after logging into first one with password or whatever...



On 27 September 2010 09:51, Nicolas Ferragu <nicolas.ferragu@laposte.fr> wrote:
> Richard,
>
> Yes of course I could use remote command field but as I said before I
> don't want to do a command like "ssh bastion ssh target" since I'd like
> to use Putty as if I where connecting directly my target - ie I'd like
> to use the bastion in a proxy way. In another words, I don't want
> anything but telling Putty to connect to my target in the main field
> Hostname.
>
> Moreover, I don't want to deal with password's accounts since key
> exchanges are mandatory in the project.
>
> I think I gonna modify putty's code to make a direct remote command
> proxy protocol.
>
> Thanks for sharing,
> NF
>
> -------- Message original --------
> Sujet: Re: Multi Hopping by sshserver proxy with different keys
> De : Wilson, Richard <richard.wilson3@hp.com>
> Pour : Nicolas Ferragu <nicolas.ferragu@laposte.fr>, Stephen Dowdy
> <sdowdy@ucar.edu>
> Copie à : "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date : 24/09/2010 21:55
>
>> Nicholas,
>>
>> You might try using the PuTTY "Remote Command" field in the SSH panel to start a script on the Bastion
>
>  host that would check and see if an agent was running, and start one if
> not.
>
> I would recommend expect as the scripting language for this -- it
> emulates an interactive session and
>
>  SSH is designed to not accept passphrases and passwords as parms.
>
> You could pass the passphrase as a parm from the Windows host if your
> security allows it and
>
>  avoid storing the passphrase on the bastion host.
>>
>> HTH,
>>
>> Richard Wilson
>> Rich dot Wilson at hp dot com
>>
>> -----Original Message-----
>> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Nicolas Ferragu
>> Sent: Friday, September 24, 2010 3:01 AM
>> To: Stephen Dowdy
>> Cc: secureshell@securityfocus.com
>> Subject: Re: Multi Hopping by sshserver proxy with different keys
>>
>> Stephen,
>>
>> The problem is that my target key is on the gateway bastion host !
>> The client don't have it. Moreover, the bastion's keys are protected by passphrases and served by ssh-agent. So can't do any agentforwarding at all..
>>
>> Otherwise, I've never succeeded in having key exchange between bastion and target while netcating in a proxycommand. It's ending systematically with an interactive password prompt (not passphrase).
>>
>> Of course the "ssh -t bastion ssh -t target" works well but I don't want to do it like that because I use a putty client which won't behave ergonomically if used that way.
>> The same idea applies to your - however excellent - hackery you made with exclamation ! (I'm on Putty... Sorry for that).
>>
>> Once again this is a schematic view of what I want :
>>
>> Windows             Linux               Linux
>>   |                   |                   |
>> Putty            OpenSSH_5.6p1      Openssh any version
>>   |                   |                   |
>> Client ----------> Bastion ----------> Target
>>   \_________________/   \________________/
>>      Client's Key         bastion's key
>>        (Pagent)             (ssh-agent)
>>
>> Summarizing my needs taking a similarity view like agentforwarding :
>> I'd like to have an ssh-agent hopping.
>>
>>
>>
>> -------- Message original --------
>> Sujet: Re: Multi Hopping by sshserver proxy with different keys De : Stephen Dowdy <sdowdy@ucar.edu> Pour : Nicolas Ferragu <nicolas.ferragu@laposte.fr> Copie à : secureshell@securityfocus.com Date : 23/09/2010 19:26
>>
>>> Nicolas,
>>>
>>> If i understand your request, fully...
>>>
>>> I'll give you some info for OpenSSH (which you could use via Cygwin on
>>> your windows client), but i don't know if PuTTY has similar
>>> capability. (clearly, you've discovered plink.exe can do similar
>>> things) (while this info may not apply directly to your problem, i
>>> figure it'll be of general interest)
>>>
>>> ----------------
>>> Host bastion
>>>     IdentityFile    ~/.ssh/bastionkey
>>>     User bastionuser
>>>
>>> Host target
>>>     IdentityFile    ~/.ssh/targetkey
>>>     User targetuser
>>>     ProxyCommand ssh bastion nc target 22
>>> ----------------
>>>
>>> If you have both keys on the client, a
>>>
>>>     ssh target
>>>
>>> will "do the right thing(tm)" here by finding the target directive,
>>> indirectly resolving to a bastion connection using the bastion key,
>>> then piggy-backing on the established bastion connection's netcat link
>>> to the target and applying the target key.
>>>
>>> OpenSSH 5.5 or so has a builtin 'netcat' like facility using '-W
>>> target:port', i haven't started using that yet, as my normal systems
>>> (Debian Lenny) don't have that version.
>>>
>>>
>>> Here's some hackery i have in my ~/.ssh/config file:
>>>
>>> -----------------------
>>> # Multi-(user+host) arbitrary gateway hopping
>>> #       usera%hosta!userb%hostb[!userc%hostc...]
>>> # STILL requires using '-l userd' for destination user on command line
>>> (i.e. we ignore last # user in specification # e.g.  ssh -l root
>>> sdowdy@zia!root@umds0-vgw
>>> Host    *!*
>>>     GatewayPorts no
>>>     ProxyCommand
>>> $(h="%h";p="%p";ruh=${h##*\!};rh=${ruh##*\%%};ru=${ruh%%\%%*};ru=${ru:
>>> -${USER}};luh=${h%%\!*};lh=${luh##*\%%};lu=${luh%%\%%*};lu=${lu:-${USE
>>> R}};echo ssh -l ${lu} ${lh} "\`type -p netcat nc | head -1\` ${rh}
>>> 22") # h=host, p=port (expanded by openssh cmdline # ruh,rh,ru=remote
>>> user+host, remote host, remote user (successively pulled off
>>> right-hand-side) # luh,lh,lu=local user+host, local host, local user
>>> (pulled off left-hand-side) #
>>> -----------------------
>>> This directive allows you, if you use a Bourne-Shell/posix-shell to
>>> hop via an arbitrary number of [user@]host[!...] connections via
>>> iterative deconstruction of the target specified within openssh.
>>> If you have any required keys in your client ssh-agent, they'll be
>>> appropriately applied down the chain. (be careful of shell
>>> meta-character expansion of '!' -- I chose that after initially having
>>> chosen '::' as the gateway delimiterd (DECnet style poor-mans
>>> routing), and finding that while it worked for 'ssh', it DOESN'T work
>>> for scp.  '!' works for both ssh and scp.
>>> You can use some other separator like "_", which isn't valid DNS.
>>>
>>> the \`type -p netcat nc | head -1\` is simply used to work on SLES and
>>> *ever other* linux distro, since SLES uses 'netcat' (nc on SLES is
>>> something else).  That whole thing can be replaced with simply 'nc' if
>>> you don't need to deal with SLES. (and that's the primary requirement
>>> for a Bourne-alike shell.
>>>
>>>
>>> If i'm using the "bastion" (gateway) host frequently for multiple
>>> connections (i have a number of systems that have a backend RFC1918
>>> network of compute nodes or data servers), i may use ControlMasters
>>> like:
>>>
>>> Host gw1-* gw2-*
>>>     User            blah
>>>     NumberOfPasswordPrompts 1
>>>     ConnectTimeout  60
>>>     ControlMaster   auto
>>>     ControlPath     ~/.ssh/%r@%h:%p.sock
>>>
>>> That way, i only authenticate once on the gateway host and use that
>>> ControlMaster connection as the piggyback for subsequent connections
>>> to that gateway and any hosts residing behind it.  This is mainly
>>> useful on systems where i'm required to enter a password, instead of
>>> using authorized-key trust.
>>>
>>> --stephen
>>>
>>
>> Post-scriptum La Poste
>>
>> Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
>>
>>
>
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par
> ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
> engagement de la part de La Poste. Toute publication, utilisation ou
> diffusion, meme partielle, doit etre autorisee prealablement. Si vous
> n'etes pas destinataire de ce message, merci d'en avertir immediatement
> l'expediteur.
>
>

On 27 September 2010 10:22, Nicolas Ferragu <nicolas.ferragu@laposte.fr> wrote:
> Anyway, the trick doesn't work correctly since the terminal mode is raw
> : I can succeed in logging the way I want but can't do any vi or any tab
> command completion...

Does putty have something like -t argument to ssh that force terminal
allocation? If it is supported then

putty -t bastion ssh target

should properly allocate terminal.

Regards, Igor

Hi fnx,
You're right but I'd like to have it without changing any habits for the
users.
In a way, I'd like to have the host field and the command field
exchanged - or having a remote command proxy option.
I think I'll have to change putty's code for that. Why not.
Best regards.

-------- Message original --------
Sujet: Re: Multi Hopping by sshserver proxy with different keys
De : Phoenix Rider <fnx@technologitron.com>
Pour : Nicolas Ferragu <nicolas.ferragu@laposte.fr>
Date : 11/10/2010 20:14

> You could give this a shot:
>
> Putty has the ability to execute a command that you specify on connect.
>
> So, set the ssh remote command to:
>
> ssh innerhostnameoripaddress
>
> And save your profile, assuming the bastion ip/hostname is set in the
> putty host field. This will start the ssh session and execute the ssh
> command. Assuming you've got your keys set up, you should either
> achieve a shell or be prompted for your key passphrase.
>
> This is just an idea, i'm sure it can be improved or modified, but I
> hope it helps.
>
>
>
> On Mon, Sep 27, 2010 at 4:22 AM, Nicolas Ferragu
> <nicolas.ferragu@laposte.fr> wrote:
>> Igor,
>>
>> My ssh-agent works well and I haven't any problem with it : I'm using
>> keychain (persistent ssh-agent across connections; from debian
>> packages), filling the .ssh/environment file to get env setted correctly
>> for that.
>>
>> Anyway, the trick doesn't work correctly since the terminal mode is raw
>> : I can succeed in logging the way I want but can't do any vi or any tab
>> command completion...
>>
>> Concerning the security level you've evaluated, I do agree with the fact
>> that one's could read bastion's memory to get access to targets' keys.
>> But :
>> 1 - I made those targets keys usable only from the bastion. If the keys
>> where on the local box, this kind of filtering couldn't be done as far
>> as my users should be able to connect from everywhere - modulus ip
>> spoofing of course.
>>
>> 2 - With all my targets keys on the bastion, I can administrate them in
>> a central way - which can't be done in the
>> distributed-to-the-local-boxes way. In particular, it's far more easy to
>> give a temporary access to anyone to any target in the bastion's holding
>> way.
>>
>> 3 - Saying the keys can be read from the bastion's memory isn't worse
>> than distributing them across local boxes which are secureless than the
>> bastion - since they are some local boxes shared by multiple people...
>> Furthermore, the keys can regularly be changed to clean those kind of
>> weakness.
>>
>> Thanks for sharing,
>> NF
>>
>>
>> -------- Message original --------
>> Sujet: Re: Multi Hopping by sshserver proxy with different keys
>> De : Igor Bukanov <igor@mir2.org>
>> Pour : Nicolas Ferragu <nicolas.ferragu@laposte.fr>
>> Copie à : secureshell@securityfocus.com
>> Date : 25/09/2010 12:34
>>
>>> On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu@laposte.fr> wrote:
>>>> Putty conf :
>>>> connection type : raw
>>>> local proxy command : plink.exe -t %user@%proxyhost -agent "ssh
>>>> -p %port -l role %host"\n
>>>
>>> I assume "ssh -p %port -l role %host" here is a command executed on
>>> the bastion to connect to the target. Currently it does not work as
>>> the target asks for the key known only for the bastion.
>>>
>>> You mentioned that "ssh-agent running well with the target.". If that
>>> means that bastion has ssh-agent running with a key for the target
>>> then in the above command you just need to tell the ssh where to look
>>> for ssh agent socket. You can do that with env command that sets
>>> SSH_AUTH_SOCK like in:
>>>
>>> plink.exe -t %user@%proxyhost -agent "env
>>> SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host"
>>>
>>> The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For
>>> maximum convenience you may run the ssh-agent on bastion with -d
>>> option to specify the exact location of the socket like in:
>>>
>>> ssh-agent -b "$HOME/.ssh/agent-socket"
>>>
>>> and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket
>>>
>>>
>>> On the other hand the setup like that implies that one can always
>>> connect to the target if he has the key to bastion. Moreover, anybody
>>> who can login to bastion under your user name can also recover the
>>> private key for the target via inspecting ssh-agent memory. So the
>>> setup above is less secure if you would simply have the key to the
>>> target on your local box properly password-protected and loaded into
>>> putty agent.
>>>
>>> Regards, Igor
>>>
>>
>>
>> Post-scriptum La Poste
>>
>> Ce message est confidentiel. Sous reserve de tout accord conclu par
>> ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
>> engagement de la part de La Poste. Toute publication, utilisation ou
>> diffusion, meme partielle, doit etre autorisee prealablement. Si vous
>> n'etes pas destinataire de ce message, merci d'en avertir immediatement
>> l'expediteur.
>>
>

--

Groupe La Poste

Nicolas Ferragu

Architecte SI
Direction de la Production, Service A2I

*CSP* - CENTRE DE SERVICES PARTAGES
DSICORP - DIRECTION DES SYSTEMES
D'INFORMATION CORPORATE

19 BD GASTON DOUMERGUE
44262 NANTES CEDEX 2
Tél. : 02 51 84 49 43
nicolas.ferragu@laposte.fr <mailto:nicolas.ferragu@laposte.fr>
www.laposte.fr <http://www.laposte.fr>
Adresse visiteur : Immeuble Atlantica


Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.