These scripts produce a minimal OpenSSH jump host, which will
accept signed user keys and allow them to transfer to another
host inside the network. The build system uses
linux-builder
to create a custom kernel and initrd with only the sshd
program.
Goals:
- Diskless image
- Immutable system
- Network logging
- No shell for accidental code execution
- Minimal attack surface
git clone --recursive https://github.com/osresearch/jumphost
cd jumphost
make keys # create CA keys and a demo user
make -j32 build/vmlinuz-jump
make qemu
virsh create jump/jump.xml
- https://smallstep.com/blog/use-ssh-certificates/
- https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates
Every user logs into the jump host as user jump
. Passwords are not
allowed. Interactive sessions are not allowed. Only proxy commands
via the ssh -J jump@jumphost user@other-host
are allowed.
The jumphost has a public key of the user CA that will sign acceptable user keys. This CA is fixed at image build time; to change the CA requires rebuilding the jump host system image. The login attempts are sent via syslog to the network logging host.
The jumphost's host key is also signed by a host CA, so that users connecting can ensure that they trust it without having to TOFU (Trust On First Use) the key.
You can add it to your user ssh config by running:
echo "@cert-authority * $(cat etc/host_ca.pub)" >> ~/.ssh/known_hosts