TransWikia.com

AutoSSH through Firewall - Best practice for many devices on network?

Server Fault Asked by QNeville on December 31, 2020

My team is trying to find a solution to remotely access and update multiple Linux devices behind a firewall at several locations with their own firewalls. Traditionally, we would visit the business’ physical site and update the devices with Ansible running from within their network, or make changes via RDP and individual SSH access. Port forwarding is not an option, not even for a bastion.

||REMOTE SERVER|| ===> ||LOCATION 1 FIREWALL|| ===> [DEVICE 1, DEVICE 2, ..., DEVICE N]
(executing cmds)  ===> ||LOCATION 2 FIREWALL|| ===> [DEVICE 1, DEVICE 2, ..., DEVICE N]
                  ===> ||LOCATION 3 FIREWALL|| ===> [DEVICE 1, DEVICE 2, ..., DEVICE N]
                  ...
                  ===> ||LOCATION N FIREWALL|| ===> [DEVICE 1, DEVICE 2, ..., DEVICE N]

What is best practice with AutoSSH, or is there an alternative that would work better for maintaining these devices? We have two solutions so far.

Solution 1 – AutoSSH for every device:

-Establish AutoSSH connection from each and every individual device on each network (potential for hundreds per location). Configure SSH access for each of those devices.

Host loc_1_device_1
        HostName localhost
        Port 6000
        User maintenance
        IdentityFile /home/devops/.ssh/remote_maint

Host loc_1_device_2
        HostName localhost
        Port 6001
        User maintenance
        IdentityFile /home/devops/.ssh/remote_maint
Host loc_1_device_3
        HostName localhost
        Port 6002
        User maintenance
        IdentityFile /home/devops/.ssh/remote_maint

Host loc_2_device_1
        HostName localhost
        Port 7000
        User maintenance
        IdentityFile /home/devops/.ssh/remote_maint

Host loc_2_device_2
        HostName localhost
        Port 7001
        User maintenance
        IdentityFile /home/devops/.ssh/remote_maint

Solution 2-AutoSSH for proxy/jump host only:

  • Establish AutoSSH connection from a single proxy (possibly a secondary as failover) on each of our client’s networks. Configure SSH access for each of those devices to a port on the remote server.
Host location_1
        HostName localhost
        Port 6000
        User maintenance
        IdentityFile /home/devops/.ssh/remote_maint

Host location_2
        HostName localhost
        Port 6001
        User maintenance
        IdentityFile /home/devops/.ssh/remote_maint

From there, connection seems easy enough with ssh -t location_1 ssh [email protected], or some ansible config for proxy command.

I’ve done a proof of concept for solution 2, running Ansible commands from the remote server, and it seems to work well, but there is pushback from other members on the team to go with solution 1 to remain a 1-1 inventory of every device (Which should just be the entire point of Ansible?). What concerns me with solution 1 is that there could be thousands of devices trying to maintain reverse SSH simultaneously, which could result in needless network overhead. It also seems like a needless amount of work for adding and removing devices from that network.

Is there another way to approach this? Am I on the right track, or am I crazy for thinking the rest of the team is crazy?

One Answer

I'm using your solution 1, but with an automatic allocation of port numbers.
I don't need to configure each device individually.

That is done by a multi stage process. If a device connects the first time, it doesn't know which port number it has to use. So it connects via ssh the server, sending it's own MAC-address.
The server allocates a free port number, stores it and tell the port to the device. The device stores the port number for all future connections.

Then the device reconnects with the port number.

All devices use the same "private key", but the key can only be used to build a tunnel to the server. To connect a device my public key is stored on each device.

On the server the authorized_keys file, contains a simple command for that key (The script for allocation new keys by MACs). The tunnel has to be done via -N

command="/home/tunnel/reverse_server/reverse_server.py",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa <PUBLIC-KEY-FOR-ALL-DEVICES>

On the server the GatewayPorts no option should be configured in /etc/sshd/sshd_config, to avoid external port access.

Answered by jeb on December 31, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP