SSH gateway
SSH Gateway Installation
Introduction
Soffid allows you to deploy a new docker container with the ssh gateway. The configuration is similar to the sync server configuration, the main difference is the ssh container is listening in ssh.
Prerequisites
The SSH Service is only released as a docker service.
1. Install docker ( https://docs.docker.com/install/ )
2. Install Soffid PAM (store container and launcher container)
You can visit the PAM Jump Server Installation page for more information about how to install PAM
3. Create a Docker network(*), that network allows you to connect containers to the same bridge network to communicate:
sudo docker network create -d bridge NETWORKNAME
* You can use the same network defined in the Console and Sync Server installation to avoid visibility problems.
Installation
The steps required to install SSH container are:
1. Create a user
We need to create a user in the pam store container. To do this, we need to connect to the store container.
sudo docker exec -it soffid-pam-store /bin/bash
Once, we are connected to the container, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter
root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh proxysshtest launcher
Password: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
root@soffid-pam-store:/#
As a result of the script, we receive the password for the created user. This password will be needed later when we create the container.
2. Create volume
We need to create a volume that will be used by the docker container
sudo docker volume create soffid-ssh
3. Create a docker container
Finally, we need to execute the command to create the ssh gateway container
docker run \
--name soffid-ssh \
-e SOFFID_SERVER=https://iam-sync.soffidnet:1760 \
-e SOFFID_USER=admin \
-e SOFFID_PASS=changeit \
-e SOFFID_HOSTNAME=ssh-gateway \
-e STORE_SERVER=http://soffid-pam-store:8080 \
-e STORE_PASSWORD=kDH0vh8MFWWn843Vhzmj0Np7uzMEfbqFYM1ELCQqOf++tF0xfd=Ve2eGq81OXvqy \
-e STORE_USER=proxysshtest \
-v soffid-ssh:/opt/soffid/iam-sync/conf \
--publish 2222:22 \
--network=soffidnet \
soffid/pam-ssh:1.4.2
Environment Variables
To create the new SSH container you need to set the following environment variables:
Variable | Description | Example |
SOFFID_SERVER |
Sync Server URL |
https://syncserver01.soffid.com:1760 |
SOFFID_USER |
Soffid user to join the security domain |
admin |
SOFFID_PASSWORD |
Soffid user password |
changeit |
SOFFID_HOSTNAME |
The hostname used to access the ssh gateway |
ssh-gateway |
STORE_SERVER |
Store URL |
http://soffid-pam-store:8080 |
STORE_PASSWORD |
Password received when you created the user in the store container. |
************ |
STORE_USER |
Store user |
proxyssh |
SSH Gateway Connection
Introduction
We can establish a connection to the target system using the SSH remote access protocol.
How to connect 1
You can establish the connection with the ssh gateway and then Soffid will ask your password and the target system parameters to connect:
- Password: password of your account to connect to Soffid.
- Target server: system to which you want to connect.
- Account to use: account to use to connect to the target system.
- Account source system
root@soffid:~# ssh -p 2222 dilbert@ssh-gateway
Password:
Target server: 10.129.120.5
Account to use: patricia
Account source system [leave blank to use a target system local account]:
________________________________________
| __ |
| __/ | |
| __ __ _/__|__o __| |
| |__ / \ | | | / | |
| __| \__/ | | | \__/ SSH GATEWAY |
| __/ |
| |
| Hello dilbert |
| NOTICE: This session is being recorded |
|________________________________________|
Connecting to 10.129.120.5 as patricia
Last login: Fri Apr 8 08:39:23 2022 from 10.129.120.6
[patricia@forgecentos ~]$
How to connect 2
You can establish the connection with the target system typing all the parameters to connect in one line AccountName__HostName__TargetAccount. At the end, Soffid will ask the password of your account to connect.
- Account name: account to connect to Soffid.
- Host name: target system to which you want to connect.
- Target account: account to connect to the target system.
- Password: password of your account to connect to Soffid.
root@soffid:~# ssh -p 2222 dilbert__10.129.120.5__patricia@ssh-gateway
Password:
________________________________________
| __ |
| __/ | |
| __ __ _/__|__o __| |
| |__ / \ | | | / | |
| __| \__/ | | | \__/ SSH GATEWAY |
| __/ |
| |
| Hello dilbert |
| NOTICE: This session is being recorded |
|________________________________________|
Connecting to 10.129.120.5 as patricia
Last login: Fri Apr 8 09:57:22 2022 from 10.129.120.6
[patricia@forgecentos ~]$
How to connect 3
You can establish the connection with the target system typing all the parameters to connect in one line AccountName__HostName__TargetAccount and using a ssh key.
- Account name: account to connect to Soffid.
- Host name: target system to which you want to connect.
- Target account: account to connect to the target system.
You can generate an ssh key to connect or use your existing ssh key.
- Generate a new ssh key:
ssh-keygen -t rsa
- Read an existing ssh key:
cat .ssh/id_rsa.pub
Then you need to include it in Soffid Console in your user data.
Finally you can establish the connection.
pgarcia@soffid:~$ ssh -p 2222 pgarcia__10.129.120.5__patricia@ssh-gateway
________________________________________
| __ |
| __/ | |
| __ __ _/__|__o __| |
| |__ / \ | | | / | |
| __| \__/ | | | \__/ SSH GATEWAY |
| __/ |
| |
| Hello pgarcia |
| NOTICE: This session is being recorded |
|________________________________________|
Connecting to 10.129.120.5 as patricia
Last login: Fri Apr 8 11:57:19 2022 from 10.129.120.6
[patricia@forgecentos ~]$
Soffid needs the ssh_key attribute in the user object metadata, please check the attribute is created properly, and the fill in with your public key.