I am having a server in a corporate data centre who's sys admin is me. There are some virtual machines running on it.The main server is accessible from internet via SSH. There are some people who within the lan access the virtual machines whose IPs on LAN are
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
the main machine which is a bastion host for internet has IP 192.168.1.50 and only I have access to it. I have to give people on internet the access to the internal machines whose IP I mentioned above.I know tunnel is a good way but the people are fairly non technical and do not want to get into a tunnel etc jargons.So I came across a solution as explained on this link On the gateway machine which is 192.168.1.50 in the .ssh/config file I add following
Host securehost.example.com
ProxyCommand ssh [email protected] nc %h %p
Now my question is do I need to create separate accounts on the bastion host (gateway) to those users who can SSH to the inside machines and in each of the users .ssh/config I need to make the above entry or where exactly I put the .ssh/config on the gateway.
Also ssh [email protected]
where user1 exists only on inside machine 192.168.1.1 and not on the gateway is that right syntax? Because the internal machines are accessilbe to outside world as
site1.example.com
site2.example.com
site3.example.com
site4.example.com
But SSH is only for example.com and only one user.So
How should I go for .ssh/config
1) What is the correct syntax for ProxyCommand on gateway's .ssh/config
should I use
ProxyCommand ssh [email protected] nc %h %p
or I should use
ProxyCommand ssh [email protected] in nc %h %p
2) Should I create new user accounts on gateway or adding them in AllowedUsers on ssh_config is sufficient?
The ProxyCommand directive has to be specified on the client machine, not the gateway machine, which is going to make it more complicated for your users. Basically from the client side you are saying ssh [email protected] using [email protected] as a proxy.
Each user will need to have an ssh account, but it can be a shared account as the "proxied username" is still specified on the client side.