SSH Access Gateway

When you have many ssh users accessing your intranet, some sort of session logging is necessary. This article will show how to setup a gateway to allow ssh access to an intranet while recording the entire session for any user into text files. The tools we use for achieve this are ssh server/client and a short bash script.

Gateway Settings
SSH Key config

# cat .ssh/authorized_keys
command="/scripts/tunnel_log/tunnel_log.sh ${SSH_ORIGINAL_COMMAND:-}" ssh-dss ... PUBLIC KEY OF THE USER

Script Source
# cat /scripts/tunnel_log/tunnel_log.sh
#!/bin/bash

server=""
user="root"
log="/scripts/tunnel_log/`date "+%Y%m%dx%H%M%S"`.log"

echo "SSH_CONNECTION variable: $SSH_CONNECTION" > ${log}

if [ $# -eq 0 ]; then
        echo -n "Server name: "
        read server
        echo -n "Username: "
        read user
        echo "Session started to [ ${server} ] as user [ ${user} ] : ">>${log}
        script -c "ssh ${user}@${server}" -q -f -a ${log}
else 
        echo "Session started [ $* ] : " >> ${log}
        script -c "ssh $*" -q -f -a ${log}
fi
exit 0

Connection from Linux
Simple connection

# ssh user@gateway
Server name: test.net
Username: testuser

The above command asks you to which destination(and user) you want to make the connection via gateway.

# ssh -t user@gateway otheruser@destination -p 2020

The above command connects as user user to gateway and is redirected to server destination as user otheruser.

Resources:
http://oreilly.com/catalog/sshtdg/chapter/ch11.html
https://calomel.org/openssh.html

Published on 2011/10/09 at 20h11 by Bashar, tags , , , ,

comment SSH Access Gateway

Powered by Publify | Photo Startup stock photos