SSH ProxyCommand on SSH server side

ssh

Using the SSH ProxyCommand directive in the client ~/.ssh/config file it is possible to connect to a SSH server through a different SSH server acting as a jump host.

Is there a similar configuration for the SSH server side? E.g., when the user logs on to a jump machine with a certain authorized key, I want this SSH connection to be automatically forwarded to another machine also running sshd.

Best Answer

You can specify a command that is executed whenever someone logs in using a ssh key.

Edit the file ~/.ssh/authorized_keys. Prepend every key you want to forward with a command=ssh user@target.

This has to be done for every user. Since this is done using a user configuration file, every user may change this. If you trust your users (or you are the only user) then this is ok. You can also prevent users from changing this by not giving them any other means to access the shell on this machine.

For more information read the sshd man page. Search for the AUTHORIZED_KEYS FILE FORMAT section, and then for command="command".

Alternatively: you can force a command using a ForceCommand in /etc/ssh/sshd_config. This option is more secure as it is enforced by sshd, and only users with root privileges can change that.

For more information read the sshd_config man page. Search for ForceCommand.

Related Solutions

Windows SSH – Fix Key Based Authentication Refusal

As of Windows 10 v1809, the default config (found in %ProgramData%/ssh/sshd_config) defines a separate AuthorizedKeysFile for administrator users:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

This means any user who is in the special Windows Administrators group (SID S-1-5-32-544) will not look at the %UserProfile%/.ssh/authorized_keys file but will rather look at %ProgramData%/ssh/administrators_authorized_keys.

You have a few options:

Use a non-administrator user, or
Comment out those two lines from the bottom of sshd_config, which will then revert back to the default per-user AuthorizedKeysFile, or
Add your keys to the (global!) administrators_authorized_keys file

My recommendation is to use a non-admin user if possible, or modify the config otherwise. A global key that is accepted for any account in the Administrators group sounds like unnecessary complexity.¹

¹ In a default config it is always possible to impersonate any other user from an admin user, since an admin user generally implies full root-level control in Windows. That might be their rationale for this default. But of course it makes configuration of a multi-user system rather confusing, where some (non-admin) users have their own authorized keys in a standard location while other (admin) users must share a single nonstandard authorized key list.

I believe there are no security benefits to such a configuration, apart from making it obvious that all admins can impersonate each other.

A future release may create user-specific folders under %ProgramData/ssh.

This is somewhat explored here: https://github.com/PowerShell/Win32-OpenSSH/issues/1324

Best Answer

Related Solutions

Windows SSH – Fix Key Based Authentication Refusal

Related Question