SSH in bastion mode

This chapter contains an example of a basic Fudo PAM configuration, to monitor SSH access in bastion mode. In this scenario, the user connects to the remote server over the SSH protocol and logs in to the Fudo PAM using an individual login and password combination (john_smith/john). The user specifies account on a target server in the login string (john_smith#admin_ssh_server) and connects to it over default SSH port number. Upon establishing connection, login credentials are substituted with the previously defined values: root/password (authentication modes are described in the User authentication modes section).

../../_images/quickstart_overview_ssh_bastion.png

Prerequisites

Description below assumes that the system has been already initiated. The initiation procedure is described in the System initiation topic.


Configuration

../../_images/data_modeling1.png

Adding a server

Server is a definition of the IT infrastructure resource, which can be accessed over one of the specified protocols.

  1. Select Management > Servers.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ssh_server
Blocked fail
Protocol SSH
Description fail
   
Permissions  
Granted users fail
   
Destination host  
Address 10.0.150.1
Port 22
  1. Click i to download the target server’s public key.
../../_images/destination_host_ssh_bastion.png
  1. Click Save.

Adding a user

User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed object definition (i.e. unique login and domain combination, full name, email address etc.) enables precise accountability of user actions when login and password are substituted with a shared account login credentials.


  1. Select Management > Users.
  2. Click Add.
  3. Provide essential user information:
Parameter Value
General  
Login john_smith
Fudo domain fail
Blocked fail
Account validity Indefinite
Role user
Preferred language English
Safes fail
Full name John Smith
Email john@smith.com
Organization fail
Phone fail
AD Domain fail
LDAP Base fail
   
Permissions  
Granted users fail
   
Authentication  
Authentication failures fail
Enforce static password complexity fail
Type Password
Password john
Repeat password john
  1. Click Save.

Adding a listener

Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its specifics.

  1. Select Management > Listeners.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ssh_listener
Blocked fail
Protocol SSH
   
Permissions  
Granted users fail
   
Connection  
Mode bastion
Local address 10.0.150.151
Port 22
  1. Click i to generate the proxy server’s private key or i to upload the .PEM file private key definition.
../../_images/fudo_quickstart_bastion.png

Note

For security reasons the form displays server’s public key derived from the generated or uploaded private key.

  1. Click Save.

Adding an account

Account defines the privileged account existing on the monitored server. It specifies the actual login credentials, user authentication mode: anonymous (without user authentication), regular (with login credentials substitution) or forward (with login and password forwarding); password changing policy as well as the password changer itself.

  1. Select Management > Accounts.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name admin_ssh_server
Account type regular
Session recording complete
OCR sessions fail
Delete session data after 61 days
   
Permissions  
Granted users fail
   
Server  
Server ssh_server
   
Credentials  
Domain fail
Login root
Replace secret with with password
Password password
Repeat password password
Password change policy Static, without restrictions
Replace secret ok
   
Password changer  
Password changer None
Privileged user fail
Privileged user password fail
  1. Click i to generate the proxy server’s private key or i to upload the .PEM file private key definition.

Note

For security reasons the form displays server’s public key derived from the generated or uploaded private key.

  1. Click Save.

Defining a safe

Safe directly regulates user access to monitored servers. It specifies available protocols’ features, policies and other details concerning users and servers relations.

  1. Select Management > Safes.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name ssh_safe
Notifications fail
Ask for login reason fail
Policies fail
Users john_smith
   
Protocol functionality  
RDP fail
SSH ok
VNC fail
   
Accounts  
admin_ssh_server ssh_listener
  1. Click Save.

Establishing connection

PuTTY - SSH client for Microsoft Windows

  1. Download and launch PuTTY.
  2. In the Host Name (or IP address) field, enter 10.0.150.151.
  3. Select the SSH connection type and leave the default port number unchanged.
../../_images/putty_bastion.png
  1. Click Open.
  2. Enter user name along with the account name on the target host.
../../_images/putty_bastion_login.png

Note

Alternatively, instead of the account name, you can specify the server by its name john_smit#ssh_server.

  1. Enter password.

Command line interface

Launch terminal and run ssh command:

ssh john_smith#admin_ssh_server@10.0.150.151

Note

Due to special interpretation of the \ character by different system shells (e.g. bash), user login and domain combination require specific formatting:

Viewing user session

  1. Open a web browser and go to the 10.0.150.150 web address.
  2. Enter the login and password to login to the Fudo PAM administration panel.
  1. Select Management > Sessions.
  2. Find John Smith’s session and click i.

Related topics: