Linux – How to properly SSH into a server behind a NAT while maintaining the tightest possible security

linuxnat;networkingSecurityssh

I have a VPC in Amazon AWS. There's a NAT Server running in a Public Subnet that connects to an Internet Gateway. I have a bunch of servers running in various private subnets within the VPC. I'd like to SSH into the servers that are in the private subnet. All my servers are running AWS Linux (CentOS).

Currently, I can SSH into the NAT Server using my private key. The NAT server allows SSH connections only from my current development IP. Then I can SSH into the servers in the private subnets only if I setup SSH Login on those servers, or if I put a key file on the NAT server and then use them to SSH. For security, it seems like I shouldn't do either of these things.

Is there a preferred best-practice way to make this connection? It seems like there should be a way to connect with a single SSH call from my home development machine running Apple OSX.

Best Answer

You should not put your secret key on the gateway, and you don't have to :-)

setup your local SSH config so you can use the NAT gateway for port forwarding when you need it:

create an entry in your ~/.ssh/config that sets up local forwards to the hosts you want to connect to:

Host natgw-fwd
        User ec2-user
        HostKeyAlias natgw-fwd.my.domain
        HostName 54.182.32.11
        LocalForward 1025 10.0.2.1:22

then add one entry per host forwarded with an HostKeyAlias:

Host internal-one
        User ec2-user
        HostKeyAlias internal-one.ec2.internal
        HostName localhost
        Port 1025

bring the tunnel up in one shell:

ssh -C -v natgw-fwd

and connect to the internal hosts in another shell:

ssh internal-one

When using lots of "quick + short" connections in addition to a shell or two, as with a tool like dsh, latency for setup and teardown of single connections gets more noticeable, and I use ControlMaster and ControlPath to enable connection sharing. The limitations don't bother me because I rarely use agent or X11 in such a scenario.

Related Solutions

Networking – How to SSH from a VM to a Private Server via Ethernet

My suspicion is that on Oracle VirtualBox the networking is set to 'NAT'. This would explain why you can SSH to the Internet as the Windows 8.1 host NATs the guest's IP addresses for you and sends them out on the hosts external facing interface (which I assume you have, but you haven't mentioned).

Change the networking on the guest to 'Bridge' and connect that bridge to the ethernet device that connects to the CentOS dev server. Next, change the IP address of the VM (using the instructions in that linked post) to one within the range used by Ethernet network such as 192.168.100.3.

You could use the host IP address as the default gateway of the VM to save changing it again if you decide to use Internet Connection Sharing on the host to allow the CentOS machines to access the Internet.

Linux – Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

You have to add this lines to you ssh_config (placed in ~/.ssh/ssh_config):

Host yourserver.amazonaws.com
        IdentityFile "~/.ssh/andaaws.pem"

Best Answer

Related Solutions

Networking – How to SSH from a VM to a Private Server via Ethernet

Linux – Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

Related Question