Currently, as per normal procedure, we have a bastion server in each public subnet within a cloud network and we attempt to access it via the following config -
Host webserverA
User myuser
Hostname 192.168.1.10
ForwardAgent yes
Port 22
ProxyCommand ssh -q bastionA nc %h %p
IdentityFile ~/webserver.pem
Is there a way for me to extend this model to having another bastion server?
BastionB -> BastionA -> WebserverA ?
The reasoning is that I'd like to treat this as a Chain of Trust. Remove something when a rather bad evenevent occurs.
By CoT I mean, if a set of users leaves, we can change the first set of keys so that we can block their further access.