Setup and Configure a SSH Jump Server

ssh-jump-host
ssh-jump-server-concept

Introduction     

In recent times, there is an increasing need for organizations to give employees access to their IT facilities due to the ongoing Covid restrictions ( such as work from home )  in place and in other cases grant access to external parties like clients, vendors  who wants to troubleshoot and fix issues with the IT Infrastructure remotely.
 
More so, is the need for multiple manage SSH access to the company’s Linux servers, Routers, Switches, while meeting regulatory and security compliance.
 
This need led to the emergence of the SSH Jump Server concept.
It is a secure intermediary server where all your system administrators would login in first via SSH before getting to access the remote devices such as Linux instance, Routers, Switches etc. The purpose of having the SSH Jump server is to improve security and consolidate SSH user activities to a single point hence better security and accountability. SSH  Jump server is also known by the name SSH Jump Box, SSH Jump Host & SSH Gateway.

SSH Jump Server explained.                                 

An SSH Jump Server is simply a single, hardened server that you “jump” through in order to access other servers or devices on the inner network.
Sometimes called a SSH Jump host , or SSH Jump server or  bastion or a relay host, it’s simply a server that all of your users can log into and use as a relay server to connect to other Linux servers, Routers, Switches and more. Therefore, a jump server is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones.
 
In other words, it is an intermediary host or an SSH gateway to a remote network, through which a connection can be made to another host in a dissimilar security zone, for example a demilitarized zone (DMZ2). In short it is intended to breach the gap between two security zones. This is done with the purpose of establishing a gateway to access something inside of the security zone, from the DMZ
 
The SSH Jump Box bridges two dissimilar security zones and offers controlled and monitored access between them.
 
For users accessing your secure network over the internet, the jump host provides a highly secured and monitored environment especially when it spans a private network and a DMZ with servers providing services to users on the internet.
 
Furthermore, a classic scenario is connecting from your desktop or laptop from inside your company’s internal network, which is highly secured with firewalls to a DMZ. In order to easily manage a server in a DMZ, you may access it via a jump host.
 
Therefore, a jump host is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones. An example would be a high security zone inside a corporation. The policy guide states that this zone cannot be accessed directly from a normal user zone. Hence, in a DMZ off the firewall protecting this zone you have a jump host.
 
Connections are permitted to the ssh jump host from the user zone, and access to the secure zone are permitted from the jump host.
 
More often, there is a separate authentication method for the jump host fortified with multi factor authentication, Single Sign On ( SSO ) , Radius  & more. 

Configure a SSH Jump Server Solution
  • Using OpenSSH
    A basic ssh jump server with limited features and functionalities  can be configured using OpenSSH packages  that available by default on most Linux distributions. In the example below, we will just use the basic ssh command line to proxy a ssh connection to the remote server via a intermediate jump server.
ssh -J jump_machine remote_machine

If the -J option is not available use the -W option to pivot the connection through an intermediate bastion host.

ssh -o ProxyCommand="ssh -W %h:%p bastion.gateway.org"  remote.server.org

With the OpenSSH 7.3,  the easiest way to pass through hop through intermediate one or more jump hosts is  using the ProxyJump directive ssh_config

Host remote server
HostName 192.168.0.177
ProxyJump admin@jump-server.org:22
User devops

Multiple jump hosts can be chained as well

Host remote server
HostName 192.168.0.177
ProxyJump admin@jump-server.org:22, admin@jump-server2.org:22
User devops

 

Do refer the article SSH Proxy and SSH JumpHost  for configuring  a basic jump server that is very limited in feature and functionality when compared to the modern day ssh  jump host solutions.

  • Using Ezeelogin
     Ezeelogin is a much more powerful and advanced SSH Jump host software solution and  can be deployed quickly.  It has powerful features that  makes managing hundreds of Linux devices and granting ssh access to these device a piece of cake.  Do refer the article to  setup and configure a ssh jump server quickly on your premise or on cloud.                                                    

Why do you need a SSH Jump server solution to manage ssh access? 

The OpenSSH based jump server is clearly not enough to meet the modern day requirements  of an IT enterprise. The challenges for  the enterprise are constantly changing and dynamic . On day , it could be from maintaining security, granting ssh access to the users to designated server and that too for particular time and on another day it could be the security compliances that needs to be met at the time of a Linux servers infrastructure audit.
The modern day  SSH Jump host solutions are designed to address the challenges faced by an IT enterprise when it comes to  security and to meet various security compliances like PCI DSS, NIST, ISO 27001 and more.
 
The modern day ssh jump server  software has the  following features  and more.
  • Identity and Access management (IAM)
  • Privileged Access management (PAM),
  • Role Based Access Control to delegate access to Linux servers and Network devices.
  • Two factor authentication methods  like Google Authenticator, DUO Security 2FA, & Yubikey in SSH.
  • Integrates with Windows Active Directory, OpenLDAP, Redhat IDM.
  • Supports SAML for  Single Sign On.
  • Support RADIUS Authentication to access network devices such as Routers and Switches
  • Password Manager
  • SSH key rotation, 
  • Automated root password management

CONCLUSION

IT Enterprises that use a SSH Jump Server solution in improving security of their critical IT asset and in meeting various mandatory security compliances  (which would otherwise prove very costly in case of a breach),  are more likely to succeed due to the improved operational efficiency, digital security, hence more successful business for the company’s end customers.

References

SSH Proxy and SSH JumpHost

Four Eyes authorization for Sarbanes-Oxley ( SOX ) , PCI , HIPAA Security Compliance

four eyes authorization ssh
four eyes authorization for sox compliance

The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by U.S Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial  disclosures from corporations and prevent accounting fraud. The SOX Act was created in response to accounting malpractice in the early 2000s, when public scandals such as Enron Corporation, Tyco International plc, and WorldCom shook investor confidence in financial statements and demanded an overhaul of regulatory standards.

Sarbanes-Oxley act or the SOX compliance require that whenever critical task are executed, it should NOT be done individually, it requires the critical transactions or the task at hand to be authorized by two persons and not just one. While managing server or cloud infrastructure, critical action like viewing the ssh session recordings should be authorized by a supervisor as well.

 

Meet PCI DSS 3.2 , HIPAA, SOX, SOC2, FFIEC, NERC CIP, ISO 27001 Compliance in your Linux Infrastructure.

jump server pci dss
jump server pci dss

 

If you are a system administrator  and have bunch of Linux server that you need to manage and has to be PCI DSS3.2 ,SOX, SOC2, FFIEC, NERC CIP, ISO 27001,HIPAA  compliant, then look no further, Ezeelogin SSH Gateway will help you be compliant in minutes.

Here are the requirements that Ezeelogin jumphost will help you meet.

  1. SSH User Expiry – This would let you to set an expiry time for an ssh user. It could be a developer or a sysadmin who has to deploy new code and you need to remove the access granted after a period of time. You can now easily set an expiry time after which the user would no longer have access after a preset time.
  2. IAM- Identity and Access Management – This would let you decide which developer / system administrator has access to which Linux production nodes. You can also decide ssh user which  the developer or devops engineer would login into your  Linux Node. You can decide whether the developer should login as non privileged user for example as user ‘dev’ or as ‘root’.
  3. 2FA – Two Factor Authentication in ssh – Easily integrate Yubikey, DUO Security or Google two factor Authentication when your staff accesses your Linux nodes.
  4. SSH Session Recording – Know what your staff does on your Linux nodes. Records ssh session so that you know who does what, when and where.
  5. SSH Key Management – This is usually a headache when you many server and many staff and many keys granting access to the servers. The keys need to be added for a user to grant access or revoked to deny access. The problem has been inherently handled in the ssh jump gateway as all keys are now encrypted and users would have just one key to access the ssh jump gateway which is removed with the users account deletion.
  6. RSA / DSA Key Based Authentication – Support both RSA and DSA key based authentication while we would recommend RSA keys as DSA is considered to be weak and is being deprecated.
  7. Disabling direct root access on target linux server – Direct root access needs to be disabled but then it comes with additional hassle of remembering password and  other overheads.  This is now handled in ingenious way in Ezeelogin
  8. Automated Password resets – Reset the root passwords on your Linux nodes periodically as the password are to be reset. We would recommend disabling direct root access to any Linux nodes.
  9. Centralised  login for Users in  LDAP or Active Directory – Now Authenticate your staff in SSH from your LDAP/ AD.
  10.  Maximum number of failed attempts before the accounts is locked– Repeated failures from your staff trying to access the ssh gateway could be brute force attack. The staff’s account is automatically locked to prevent further bruteforce.
  11. Minimum password length for root password – Easily set root user password  or remote ssh user password up to length of 30 character at a click.
  12. Password reuse  for an SSH Gateway User is limited such that previous 3 password is not allowed to be set again.