SSH Bastion host with Security Key

Overview

An SSH bastion host is a special purpose hardened SSH proxy designed to allow access to remote infrastructure via the SSH protocol. The bastion host is a single entry point into the network and is a security best practice deployed to strengthen security controls. This guide will show you how to configure an SSH bastion host that allows you to transparently jump to any machine on the internal network by connecting to the external IP address of bastion host. This guide is a tutorial on how to use a Yubikey and PKI to authenticate transparently through a bastion host to any target host in a remote network. The bastion host does not store private keys, It only stores the public key of your workstation. Successful authentication will require a private certificate on your workstation that matches the public certificate on the bastion host, a Yubikey, and physically touching the Yubikey to complete the process.

Restrict SSH access to the bastion host. The remote firewall should only allow access from your IP addresses. Do not configure SSH with an Allow Any Any rule.

The benefits of this configuration are:

  • Single, hardened encrypted point of entry into remote network via SSH

  • Single point of entry to protect and monitor access

  • No storage of private keys on bastion host

  • Private keys on workstation are useless without the security token (Yubikey)

In this tutorial, I will be using Ubuntu 20.04 LTS as my workstation and a Yubikey 5 NFC. The first step is to install OpenSSH 8.2 on your workstation. The best option is to install from source.

As a Stake Pool Operator (SPO) you should be using a secure Linux distribution to manage your infrastructure. Using Windows or Mac is ill-advised.

On your Ubuntu workstation complete the following steps:

  1. Install dependencies: 

sudo apt update
sudo apt install build-essential
sudo apt-add-repository ppa:yubico/stable
sudo apt update
sudo apt install libz-dev libcurl4-openssl-dev libssl-dev libcbor-dev libfido2-dev

2. Set up a working directory

mkdir openssh-8
cd openssh-8

3. Download the Openssh 8.2 package.

wget http://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
tar xvzf openssh-8.2p1.tar.gz
cd openssh-8.2p1

4. Install OpenSSH 8.2 with security key support.

./configure --with-security-key-builtin
make
sudo make install

5. Verify the install 

ssh -V

The output should be similar to the following:

OpenSSH_8.2p1, OpenSSL 1.1.1f  31 Mar 2020

6. Run the ssh-keygen command with the -t ecdsa-sk flag. Enter a passphrase when prompted. 

ssh-keygen -t ecdsa-sk

The output should resemble the following. 

Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.Enter file in which to save the key (/home/$USER/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/$USER/.ssh/id_ecdsa_sk
Your public key has been saved in /home/$USER/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:esvq6KPZ5FGttkaYUUeUcf/Oo0hhsRAaB6NKN48kkeo ubuntu-17-02-2020-4432343
The key's randomart image is:
+-[ECDSA-SK 256]--+
|  ..  ++*o.      |
|  .. ..=oo .     |
| .o =.... . .    |
|.. =.+ . . o .   |
|. . .+o S +   .  |
| E  o..o . . o   |
|    o.+ . .   +  |
|   =.+.+ o . . . |
|  oo=++.o . .    |
+----[SHA256]-----+

7. Copy the contents of id_ecdsa_sk.pub to the bastion host and target host. Add the contents to the authorized_keys file in the ~/.ssh directory. You can use the ssh-copy-id command to accomplish this. 

ssh-copy-id user@<IP address of bastion host>
ssh-copy-id user@<IP address of target host>

8. Insert the Yubikey into your workstatin and SSH to your target host using the following command.

ssh -J user@<external IP of bastion host> user@<internal IP of target host>

9. in order for the authentication process to complete, you will have touch the Yubikey twice. The SSH tunnel will first be established with the bastion host and then transparently forwarded to the target host. You will have to touch the Yubikey when the connection is authenticated with the bastion host and then a second time when the connection is forwarded from the bastion host to the target host.

Other considerations:

  • The ONLY service running on your bastion host should be SSH

  • Block ICMP traffic from all IPs.

  • The firewall should be configuredto only accept connections from the source address of your home or office. Do not allow SSH to be accessible to everyone.

  • Configure TWO Yubikeys. The first should be your primary for every day use. The second one should be used as a backup key just in case you loose your primary key. There is no identifying information on the Yubikey. If you loose your key and someone finds it, they wouldn't know what services its tied to. In this case the private certicate is also needed so they key alone is useless.

LogoEnable security keys with OS Login  |  Compute Engine  |  Google Cloud DocumentationGoogle Cloud Documentation
LogoYubico HomeYubico

Vic Martinez is an Engineering Manager with over 20 years experience in technology and networking. He earned his degree in Electrical Engineering and is passionate about developing high-performance teams, Blockchain, Cardano, Cardano Staking, and Cyber Security. Vic owns and operates Sparta Stake Pool which has the pool ticker SPRTA. You can find out more about Sparta Stake Pool at https://spartasp.com.

Last updated

Was this helpful?