[Docs]: Multiplex SSH session to jumphost #813
Description
Change Type
Addition
Area
Functionality/features
Proposed Changes
Since suzieq nor asyncssh does not support multiplexing ssh session, I've found a way to do it.
I'll try to put all configuration needed here for work for other persons interested.
- You need to have a ssh config file with
DynamicForwardandProxyCommandoption :
host jumpserver
IdentityFile /home/suzieq/parquet/ssh_cred_conf/id_rsa
IdentitiesOnly yes
user your_username
hostname IP_of_your_jumpserver
Protocol 2
Port 22
StrictHostKeyChecking no
DynamicForward 127.0.0.1:2226
host * !jumpserver
Protocol 2
StrictHostKeyChecking no
ProxyCommand nc -X 5 -x 127.0.0.1:2226 %h %p
- You need the netcat openbsd binary.
If you use the official docker image of suzieq, you need to create a custom image :
FROM ddutt/suzieq:0.19.1
USER root
RUN apt-get update \
&& apt-get install -y \
netcat-openbsd
USER suzieq
- When starting the poller, you need to provide the ssh config file with the
--ssh-config-fileoption - As we are opening a proxy socks session to the jumphost, we have to do it "manually" (= not via python).
If you use the official docker image of suzieq, you can add aentrypoint.shfile which start the jumpserver session and then startsuzieq:
entrypoint.sh
#! /bin/bash
ssh jumpserver -F /home/suzieq/parquet/ssh_cred_conf/config -N &
sq-poller --no-coalescer -I $1 -c parquet/suzieq.cfg.yml --ssh-config-file /home/suzieq/parquet/ssh_cred_conf/config
- Don't use the jumpserver option in the
suzieqinventory
Sufficient config :
devices:
- name: devices-without-jump-hosts
transport: ssh
ignore-known-hosts: true
port: 22
- PR Postpone ssh config parsing file when connecting to device for doing … #812 should be merged