Skip to main content
Super User

Return to Question

Tweeted twitter.com/super_user/status/774380616645283840
Added an answer to the chain of trust question
Source Link
A23
A23
  • 183
  • 1
  • 5

Currently, as per normal procedure, we have a bastion server in each public subnet within a cloud network and we attempt to access it via the following config -

Host webserverA
    User myuser
    Hostname 192.168.1.10
    ForwardAgent yes
    Port 22
    ProxyCommand ssh -q bastionA nc %h %p
    IdentityFile ~/webserver.pem

Is there a way for me to extend this model to having another bastion server?

BastionB -> BastionA -> WebserverA ?

The reasoning is that I'd like to treat this as a Chain of Trust. Remove something when a rather bad evenevent occurs.

By CoT I mean, if a set of users leaves, we can change the first set of keys so that we can block their further access.

Currently, as per normal procedure, we have a bastion server in each public subnet within a cloud network and we attempt to access it via the following config -

Host webserverA
    User myuser
    Hostname 192.168.1.10
    ForwardAgent yes
    Port 22
    ProxyCommand ssh -q bastionA nc %h %p
    IdentityFile ~/webserver.pem

Is there a way for me to extend this model to having another bastion server?

BastionB -> BastionA -> WebserverA ?

The reasoning is that I'd like to treat this as a Chain of Trust. Remove something when a rather bad even occurs.

Currently, as per normal procedure, we have a bastion server in each public subnet within a cloud network and we attempt to access it via the following config -

Host webserverA
    User myuser
    Hostname 192.168.1.10
    ForwardAgent yes
    Port 22
    ProxyCommand ssh -q bastionA nc %h %p
    IdentityFile ~/webserver.pem

Is there a way for me to extend this model to having another bastion server?

BastionB -> BastionA -> WebserverA ?

The reasoning is that I'd like to treat this as a Chain of Trust. Remove something when a rather bad event occurs.

By CoT I mean, if a set of users leaves, we can change the first set of keys so that we can block their further access.

Source Link
A23
A23
  • 183
  • 1
  • 5

SSH via multiple hosts or bastions

Currently, as per normal procedure, we have a bastion server in each public subnet within a cloud network and we attempt to access it via the following config -

Host webserverA
    User myuser
    Hostname 192.168.1.10
    ForwardAgent yes
    Port 22
    ProxyCommand ssh -q bastionA nc %h %p
    IdentityFile ~/webserver.pem

Is there a way for me to extend this model to having another bastion server?

BastionB -> BastionA -> WebserverA ?

The reasoning is that I'd like to treat this as a Chain of Trust. Remove something when a rather bad even occurs.