Тёмный

SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains 

Lawrence Systems
Подписаться 342 тыс.
Просмотров 39 тыс.
50% 1

Опубликовано:

 

29 окт 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 33   
@Sinnersmight
@Sinnersmight 4 года назад
I have absorbed like 3 years worth of your videos these past few weeks and they have been fascinating. I love your content and keep up the great work! I look forward to being part of this community :) This video specifically has been spot on what I have been looking for too, so I really appreciate the variety of content you provide. I'm getting ready to setup my homelab environment and am very excited! I wish this got me hooked 10+ years ago instead of gaming, but this was much more boring then :P but now im so engrossed into the topic!!
@n3kton
@n3kton 4 года назад
nice video as usual, i would like to add two things: a) more secure would to let the user‘s forward their ssh agent through the jumpbox and use their individual keys to authenticate to the servers (they are allowed for). distribution of ssh public keys for the allowed users of the machine could easily be done with some scripts and a (even more secure) ssh management server. this you can manage the access per user for every machine b) i guess you would want a backup jumpbox
@xXsoulshockerXx
@xXsoulshockerXx 4 года назад
I knew how to setup ssh keys and authentication, but I didn't know you could do this. In fact, just about a few months ago I didn't know ssh config file was a thing. Now this is cool. I have about 5 Pi's at home with a debian webserver and one digital ocean VPS. Be cool to have one channel of communication.
@hikingpete
@hikingpete 4 года назад
Thanks Tom, I enjoyed hearing about how you use a jump server. I would recommend that you have a look at SSH certificate authentication, as it solves half the problem in a different way. Both host keys and client keys can be signed by a master key, and hosts and clients can be configured to trust this signature. There are provisions for expiring keys and so much more. I think the jump box is still a handy tool, but I think I'd still prefer to start from a certificate based system.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 4 года назад
I debated about making a second video about using SSH certificate management, it's not something I use much and the added complexity creates some drawbacks.
@IEnjoyCreatingVideos
@IEnjoyCreatingVideos 4 года назад
Good video Tom! Thanks for sharing it with us!💖👌👍😎JP
@jrr851
@jrr851 4 года назад
SSH and Tunnels are the duct tape of networking. You can glue together so many solutions with them. Not just for remote command line!
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 4 года назад
Yup I've covered tunneling and piping things over SSH quite a few different ways on this channel. ;)
@chrisbleakley1444
@chrisbleakley1444 4 года назад
Great Video Tom, very useful information as usual! You always seem to be ahead of the curve. I'm sure you already know this but if you are just VPNing from Point to Point wouldn't it be better to use a /30 subnet to keep things tidy, so if your labtop is '192.168.68.2' and the VPN link is '192.168.68.9' they are treated as separate subnets therefore you shouldn't have any issues routing. Keep up the fab work.
@JRis44
@JRis44 3 года назад
This was awsome. I have a whole lot of stuff to learn. Thank you for the education man!
@SB-qm5wg
@SB-qm5wg 4 года назад
I don't use proxychains, I usually just set up a temp ssh tunnel for like 443 etc.. ssh -g -N -f -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -L 22443::443 user@jumpbox
@andre32396
@andre32396 4 года назад
Great video! Have you ever thought of using something like a smartcard or hsm to store securely the private ssh key from the jumpbox? That way, you would eliminate the risk of someone copying the jumpbox's private key.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 4 года назад
There's actually quite a few different options for securing keys but for brevity of the video I did not cover all of them. Maybe I'll make another video on that topic. ;)
@WarpedFlayme
@WarpedFlayme 4 года назад
@@LAWRENCESYSTEMS Please do. My first thought when you suggested that you could just remove a user's private key from the Jumpbox's authorized_keys file was that anyone with access at any time to the jump server could just copy its private keys and bypass the Jumpbox. Obviously this could be mitigated with firewall and host-based SSH rules, but a concern nonetheless, right?
@Rickety3263
@Rickety3263 4 года назад
I see what you’re trying to do. I learned what a jump box is today. Why not configure an LDAP server like FreeIPA to manage users, groups, objects and permissions? I understand FreeIPA also manages ssh keys, too.
@mattmat5648
@mattmat5648 3 года назад
The question I would have is if everyone is authenticated to the jump box and traffic goes from box to server, does it do a good job logging user actions once they are Authenticated?
@xephael3485
@xephael3485 4 года назад
Great content on jumpboxes/stations
@SB-qm5wg
@SB-qm5wg 4 года назад
It's how we patch servers in closed networks.
@danieleperera6788
@danieleperera6788 4 года назад
I remember that you have a dynamic IP at your home and how are you getting VPN access to your home server when you have a dynamic IP. Can you please do a video on this topic?
@UntouchedWagons
@UntouchedWagons 4 года назад
He's probably using Dynamic DNS with something like ddclient and a service like cloudflare or no-ip.
@UntouchedWagons
@UntouchedWagons 4 года назад
So with a jump server I'd have to log in twice? Once into the jump server then ssh again into the computer?
@dreagnore
@dreagnore 4 года назад
It would be cool to know how would you handle if you get locked out or the jump server goes down. How to mitigate that.
@gezb99
@gezb99 4 года назад
keep a mirror I guess
@dduncane
@dduncane 4 года назад
What about using Identity Management Software (like FreeIPA for exemple) to manage Users & Keys? Keys are stored on the IDM and managed there. A user quits, just delete his account on the IDM, and bam, he can't logon anymore and his key don't work anymore. Key compromised, revoked it on the IDM, and replace it with the new one, and bam, key has been replaced on every server on your domain.
@TWFsecurity
@TWFsecurity 4 года назад
Very helpful video, i appreciate your effort Thanks
@gezb99
@gezb99 4 года назад
Tom Great Video - helped me alot - thanks for taking the time - ;O)
@ServerAcademy
@ServerAcademy 4 года назад
Another great video!
@kosmonautofficial296
@kosmonautofficial296 3 года назад
amazing video again thanks!
@berndeckenfels
@berndeckenfels 4 года назад
If every user has access to the same no user, this user should not have read access to the authorization keys. With sudo you can pivot to a different outgoing user. But that does not allow to see the actual idendity on the target servers..
@MarcelDarvas
@MarcelDarvas 3 года назад
So 1Password Secrets Automation could be considered a JumpBox?
@MDTechTutorials
@MDTechTutorials 4 года назад
wow nice video.
@raul230285
@raul230285 4 года назад
Use Wireguard for Example
Далее
Always Help the Needy
00:28
Просмотров 16 млн
Jump Servers Explained | AKA Bastion Host
10:04
Просмотров 9 тыс.
SSH Tunneling - A Deep Dive
21:17
Просмотров 11 тыс.
Getting Started With TMUX
24:07
Просмотров 25 тыс.
What is a Jump Box (or Bastion Host)?
12:34
Просмотров 35 тыс.
Pick a Wi-Fi Antenna for WiFi Hacking [Tutorial]
15:15
Просмотров 104 тыс.
Use SSH as a SUPER SNEAKY VPN!
12:08
Просмотров 10 тыс.