SSH Jump Server
In recent times, there is an increasing need for organizations to give employees access to their IT facilities due to the ongoing Covid restrictions ( such as work from home ) in place and in other cases grant access to external parties like clients, vendors who wants to troubleshoot and fix issues with the IT Infrastructure remotely.
Chris David
Share this Post to earn Money ( Upto ₹100 per 1000 Views )
Introduction
What is SSH Jump Server and how does it work?
How to Configure an SSH Jump Server
- Using OpenSSH
A basic ssh jump server with limited features and functionalities can be configured using OpenSSH packages that available by default on most Linux distributions. In the example below, we will just use the basic ssh command line to proxy a ssh connection to the remote server via a intermediate jump server.
ssh -J jump_machine remote_machineIf the -J option is not available use the -W option to pivot the connection through an intermediate bastion host.
ssh -o ProxyCommand="ssh -W %h:%p bastion.gateway.org" remote.server.orgWith the OpenSSH 7.3, the easiest way to pass through hop through intermediate one or more jump hosts is using the ProxyJump directive ssh_config
Host remote server
HostName 192.168.0.177
ProxyJump admin@jump-server.org:22
User devops
Multiple jump hosts can be chained as well
Host remote server
HostName 192.168.0.177
ProxyJump admin@jump-server.org:22, admin@jump-server2.org:22
User devops
Do refer the article SSH Proxy and SSH JumpHost for configuring a basic jump server that is very limited in feature and functionality when compared to the modern day ssh jump host solutions.
- Using Ezeelogin SSH Jump server
Ezeelogin is a much more powerful and advanced SSH Jump host software solution and can be deployed quickly. It has powerful features that makes managing hundreds of Linux devices and granting ssh access to these device a piece of cake. Do refer the article to configure a ssh jump server quickly on your premise or on cloud.
Why do you need a SSH Jump server solution to manage ssh access?
- Identity and Access management (IAM)
- Privileged Access management (PAM),
- Role Based Access Control to delegate access to Linux servers and Network devices.
- Two factor authentication methods like Google Authenticator, DUO Security 2FA, & Yubikey in SSH.
- Integrates with Windows Active Directory, OpenLDAP, Redhat IDM.
- Supports SAML for Single Sign On.
- Support RADIUS Authentication to access network devices such as Routers and Switches
- Password Manager
- SSH key rotation,
- Automated root password management
OpenSSH proxy or jump server cannot perform all these advanced activities.
Limitations of normal openssh jump servers:-
- The OpenSSH jump servers hold the ssh-certs in plain text format. Since the jump server is a trusted device, any intruder with sufficient privileges can jeopardize the entire network.
- An OpenSSH jump server does not have any mechanism to detect user impersonation, i.e., using another one’s login to access the server. The system will let you in if you have valid login credentials.
- Routine activities such as user or server addition, removal, setting privileges, or security management takes a lot of system administration time.
- Logging the user activities on the remote server from the jumpserver is impossible without placing an agent software on the server.
- Jump server management is through the command-line interface. If you are not a competent Linux administrator, you must hire someone, increasing operational expenses.
- Migrating or upgrading a jump server is a tedious process with a high probability of downtime.
- Integrating with other authentication systems or exporting multiple users from systems such as Active Directory or LDAP are not supported.
- Many companies adopt OpenSSH jump server implementation to avoid the costs of purchasing custom-made ssh jump server solutions. But the inherent limitations of ssh jump server cost them dearly by denting their development possibilities.
- The lack of fail-over systems makes the entire network inaccessible in the event of jump server failure.
Only an ssh jump server solution that moves abreast with the technological and industry demands alone can ensure you a smooth growth trajectory. Ezeelogin, with its innovative features, robust security, and exceptional user experience, helps companies worldwide to scale new heights with absolute confidence.
Jump server best practices
Find how to secure your ssh jump server
Jump server comparison:
OpenSSH Vs. Ezeelogin
OpenSSH Jump Server
|
Ezeelogin Jump Server
|
|
Only password or cert-based authentication |
Supports 2FA – Google Authenticator, Yubikey, and Duo |
|
Stores SSH Keys in plain text format |
The encrypted keys are stored in databases |
|
Uses default shells. No customization is possible. |
Uses custom shell – ezsh |
|
Can’t restrict command execution |
Command-Line Guard restricts the user from executing dangerous commands. |
|
Login works only for command line |
Both command line and WebSSH login works |
|
Needs professional Linux administration skills |
Only a few mouse clicks are required. No server admin expertise is essential. |
|
Command execution on multiple servers requires separate ssh logins. |
Parallel shell enables simultaneous execution of commands across multiple servers. |
|
User activity session recording is possible only through agent software. |
No agent software is required for ssh session logging. |
|
Password Reset, Rotation, and login sharing are quite clumsy processes. |
Password management is automated. |
|
Single point of failure – you can’t access your servers if the jump server is down. |
Master-slave architecture to avoid the single point failure |
|
Achieving security compliance is hard. |
Can easily fulfill security compliance requirements |
|
Permits access only for system users. |
Login for LDAP and Active Directory users is possible. |
