Friday, 26 February 2016

How To Use SSH to Connect to a Remote Server in Ubuntu VIA a BASTION


What Is SSH?


One essential tool to master as a system administrator is SSH.

SSH, or Secure Shell, is a protocol used to securely log onto remote systems. It is the most common way to access remote Linux and Unix-like servers, such as VPS instances.

In this guide, we will discuss how to use SSH to connect to a remote system.

It is often good practice to set up a Bastion server which is essentially a Gateway to other servers.
If you do this then you can configure your otheer servers to only allow SSH access from your Bastion ONLY.

This post is to help with that process...



SSH connection via the Bastion

SSH into any instance should be done via the Bastion server.

SSH-ing from the Bastion server into a different server generally requires the Bastion public key to be in the authorized_keys in the target server.

Connecting to a new instance, where the Bastion public key is not in authorized_keys

Ensure that the security group for the new instance allows connection from the Bastion.

You can use SSH agent forwarding. This technique allows you to use a keypair to connect from the Bastion, without the private key needing to be on the Bastion.

You should know the keypair the new instance is created with. Open Pageant (on your PC) and import the keypair corresponding to your new instance.

Note: You know Pageant is running if you check the Notification Icons on your PC's task bar.




The other way you know it isn't running is if your Linux server gives the following error following issuing the ssh-add -L command:
In putty, connect to the Bastion using its private key, but in ”Connection → ssh → auth” check the box for Allow agent forwarding.

On the Bastion server, you can check that the key is available by calling:
  ssh-add –L
Now from the Bastion server, ssh into the target instance:
  ssh [PRIVATE IP OF TARGET INSTANCE]
Once you are here, add the Bastion public key to authorized_keys so that agent forwarding won't be required for future connections from the Bastion.
Or leave it as is to make things easy.

No comments:

Post a Comment