Sshmuxd: SSH proxy to replace jump hosts

Jumpboxes aren&#x27;t that bad to automate, actually.<p>We already help with automating jumpbox creation. (docs: <a href="https:&#x2F;&#x2F;userify.com&#x2F;docs&#x2F;tips&#x2F;jumpbox&#x2F;" rel="nofollow">https:&#x2F;&#x2F;userify.com&#x2F;docs&#x2F;tips&#x2F;jumpbox&#x2F;</a>) and we&#x27;re building even more jumpbox automation now. Don&#x27;t allow root for any jumpbox accounts, but of course root escalation exploits abound. (I just found another in an AWS agent yesterday.)<p>Of course, as another commenter mentioned, if your jumpbox is compromised, than the jumpbox could serve as a gateway to your network. It&#x27;s a tradeoff between exposing all of your servers to inbound SSH or only one.<p>There&#x27;s another way, which is pure TCP forwarding on a different port for each server (ie 21321 -&gt; inner server 22), but whether this actually reduces the attack surface is debatable, since the totality of open ports remains the same across the entire network.<p>My personal feeling is that using a jumpbox and locking it down (preferably to your company&#x27;s IP ranges, etc) is the best way to go. You can also add MFA to the jumpbox entry point itself. We&#x27;re going to help with automating all of that in the near future, too.<p>(disclaimer: CTO @Userify)

&gt; sshmux, and by extension, sshmuxd, can only forward normal sessions (ssh&#x27;ing directly to sshmuxd without a ProxyCommand) if agent forwarding is enabled.<p>This is very dangerous.<p>With the average setup, anyone with root access on the middle box can borrow the ssh key of any user connecting through it.<p>See <a href="http:&#x2F;&#x2F;unixwiz.net&#x2F;techtips&#x2F;ssh-agent-forwarding.html#sec" rel="nofollow">http:&#x2F;&#x2F;unixwiz.net&#x2F;techtips&#x2F;ssh-agent-forwarding.html#sec</a> for more info.

I don&#x27;t really understand what this is supposed to be useful for. Relying on a random software to secure your ssh entry point, instead of a proper linux configuration, that seems like a risky tradeoff.

Increasingly I am using sshuttle[0] to solve this problem. When you have lots of machines, ProxyCommand&#x27;ing always feels like such a burden.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;apenwarr&#x2F;sshuttle" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apenwarr&#x2F;sshuttle</a>

Why not simply configure your ssh correctly?

Does this support SFTP? What about for windows users that use FileZilla and don&#x27;t have an .ssh&#x2F;config?

<a href="https:&#x2F;&#x2F;blog.habets.se&#x2F;2014&#x2F;06&#x2F;Another-way-to-protect-your-SSH-keys" rel="nofollow">https:&#x2F;&#x2F;blog.habets.se&#x2F;2014&#x2F;06&#x2F;Another-way-to-protect-your-S...</a><p>Seems like the same thing. Even written in go, too.

I&#x27;ve used a similar setup to wrap RDP to allow employees to securely remotely access their office desktop. There is a market for someone willing to make this a turn-key replacement for Terminal Services.

Probably 15 years ago I did something similar at an overall system level with a program called pdmenu which provided a jump host menu for semi-technical users. The technical details of course are entirely different, but it did the same general system idea of presenting individual users with custom tailored prompts to log into various systems (and a few other tasks, and logging, etc). pdmenu had (has?) a great menu CLI for end users.

Looked at the code, it is nice and short.<p>However I&#x27;m not that familiar with go so might be overlooking something. Is there any logging included on who connected at what time from what IP?

This is nice but the agent forwarding is a legitimate concern especially because a compromised host can take off with the private keys which are used while beginning the session. Most private keys are used for more than connecting to a single host.<p>In our setup we use jailkit allowing only ssh passthrough [1], we have added LDAP support to it (may release the patch later).<p>[1] <a href="http:&#x2F;&#x2F;olivier.sessink.nl&#x2F;jailkit&#x2F;howtos_ssh_only.html" rel="nofollow">http:&#x2F;&#x2F;olivier.sessink.nl&#x2F;jailkit&#x2F;howtos_ssh_only.html</a>

Its nice.. That said, one if the real issue is getting people to use -W ;)

Why not simply use a VPN?