Server Fault Asked by QNeville on December 31, 2020
My team is trying to find a solution to remotely access and update multiple Linux devices behind a firewall at several locations with their own firewalls. Traditionally, we would visit the business’ physical site and update the devices with Ansible running from within their network, or make changes via RDP and individual SSH access. Port forwarding is not an option, not even for a bastion.
||REMOTE SERVER|| ===> ||LOCATION 1 FIREWALL|| ===> [DEVICE 1, DEVICE 2, ..., DEVICE N]
(executing cmds) ===> ||LOCATION 2 FIREWALL|| ===> [DEVICE 1, DEVICE 2, ..., DEVICE N]
===> ||LOCATION 3 FIREWALL|| ===> [DEVICE 1, DEVICE 2, ..., DEVICE N]
...
===> ||LOCATION N FIREWALL|| ===> [DEVICE 1, DEVICE 2, ..., DEVICE N]
What is best practice with AutoSSH, or is there an alternative that would work better for maintaining these devices? We have two solutions so far.
-Establish AutoSSH connection from each and every individual device on each network (potential for hundreds per location). Configure SSH access for each of those devices.
Host loc_1_device_1
HostName localhost
Port 6000
User maintenance
IdentityFile /home/devops/.ssh/remote_maint
Host loc_1_device_2
HostName localhost
Port 6001
User maintenance
IdentityFile /home/devops/.ssh/remote_maint
Host loc_1_device_3
HostName localhost
Port 6002
User maintenance
IdentityFile /home/devops/.ssh/remote_maint
Host loc_2_device_1
HostName localhost
Port 7000
User maintenance
IdentityFile /home/devops/.ssh/remote_maint
Host loc_2_device_2
HostName localhost
Port 7001
User maintenance
IdentityFile /home/devops/.ssh/remote_maint
Host location_1
HostName localhost
Port 6000
User maintenance
IdentityFile /home/devops/.ssh/remote_maint
Host location_2
HostName localhost
Port 6001
User maintenance
IdentityFile /home/devops/.ssh/remote_maint
From there, connection seems easy enough with ssh -t location_1 ssh [email protected], or some ansible config for proxy command.
I’ve done a proof of concept for solution 2, running Ansible commands from the remote server, and it seems to work well, but there is pushback from other members on the team to go with solution 1 to remain a 1-1 inventory of every device (Which should just be the entire point of Ansible?). What concerns me with solution 1 is that there could be thousands of devices trying to maintain reverse SSH simultaneously, which could result in needless network overhead. It also seems like a needless amount of work for adding and removing devices from that network.
Is there another way to approach this? Am I on the right track, or am I crazy for thinking the rest of the team is crazy?
I'm using your solution 1, but with an automatic allocation of port numbers.
I don't need to configure each device individually.
That is done by a multi stage process.
If a device connects the first time, it doesn't know which port number it has to use. So it connects via ssh the server, sending it's own MAC-address.
The server allocates a free port number, stores it and tell the port to the device. The device stores the port number for all future connections.
Then the device reconnects with the port number.
All devices use the same "private key", but the key can only be used to build a tunnel to the server. To connect a device my public key is stored on each device.
On the server the authorized_keys file, contains a simple command for that key (The script for allocation new keys by MACs).
The tunnel has to be done via -N
command="/home/tunnel/reverse_server/reverse_server.py",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa <PUBLIC-KEY-FOR-ALL-DEVICES>
On the server the GatewayPorts no option should be configured in /etc/sshd/sshd_config, to avoid external port access.
Answered by jeb on December 31, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP