Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 08-16-2018, 11:33 AM
sfxdana sfxdana is offline
Registered User
 
Join Date: Aug 2018
Posts: 4
Need to use a Jump Host without port forwarding enabled

For security reasons we now have to use an jumphost with software installed to monitor all SSH sessions. (Using BYOD with personal SecureCRT lic)

This means not able to use Socks5 Proxy (SecureCRT Firewall) or port forwarding (jumphost session with auto port forwarding)

When using Putty the below can be used. Very easy but not the best way when you have something like SecureCRT (Linux).

======================

User Limitations

Activity from sessions on jumphosts can and will be monitored. So if you, from the jumphost, start a connection to another system, this will also be monitored.
Activity from sessions created through jumphosts cannot be monitored, therefore using jumphosts this way is not allowed anymore. Instead using the linux jumphost as a SOCKS proxy adjust your scripts to, after login, execute 'ssh <host>'.

Linux: ssh -t <user>@<jumphost> ssh <host>

===============================

But I don't see the -t option in global options -> Firewall.

"Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty."

I started testing with scripts (Python) but that gives other problems with me needing to like needing different usernames for different hosts.

Further more when using scripts I can't find a way to send the session password via python scripting.

What would be nice is that you can configure an firewall option the we can use in the SecureCRT session. And have it SSH into the jumphost and then open an new SSH session as configured in the session and foreward username and password over the jumphost session. Or the same functionality as with firewall/junmhost session but without the port forwarding/socks.

Axel
Reply With Quote
  #2  
Old 08-16-2018, 12:00 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 937
Is there a reason why configuring SecureCRT's Logon Actions doesn't work well enough for you?
You can name the session whatever you want, so that it is easy enough to filter on in the Session Manager.

Creating a new session is a matter of following these steps:
  • Copy existing session that uses this approach (Session's hostname/IP is always the same; it's the jump host's name/IP)
  • Change the new session's name to match your secondary host name/addr
  • Edit the Logon Actions to modify the ssh user@host ... command so that the hostname is entered as the secondary host you want to get to.
  • Change other Expect/Send fields in the Logon Actions to match what you want to accomplish after connected to the jump host and subsequently after connecting to the secondary host, and so on.

Alternatively, you could put the 'ssh user@host...' command in the Remote command field so that it gets rexec'd; then your logon actions will all be specific to the secondary host (if the rexec was ever successful to begin with).

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #3  
Old 08-16-2018, 01:13 PM
sfxdana sfxdana is offline
Registered User
 
Join Date: Aug 2018
Posts: 4
Not really the way I was hoping for, it will work but is very time consuming to change all sessions to this. Was hoping for the firewall option.

Unless you are able to use the session name in this for the host. Then hopefully one time fix is possible with a few tweaks here and there. Need to manage about a thousand+ hosts. So editing this by hand is not really an option for me.

Might as well start using an expect script and safe me the money. This should have been possible years ago.
Reply With Quote
  #4  
Old 08-16-2018, 01:17 PM
sfxdana sfxdana is offline
Registered User
 
Join Date: Aug 2018
Posts: 4
How I'll this handle password changes every 1.5 months. Will it ask to update the password?? Is it possible to set an default password that is send when password is asked?? Because changing 1000+ sessions autologon items every 1,5 months is definitely not an option.
Reply With Quote
  #5  
Old 08-16-2018, 02:17 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 937
Quote:
Originally Posted by sfxdana View Post
Not really the way I was hoping for, it will work but is very time consuming to change all sessions to this. Was hoping for the firewall option.

Unless you are able to use the session name in this for the host. Then hopefully one time fix is possible with a few tweaks here and there. Need to manage about a thousand+ hosts. So editing this by hand is not really an option for me.

Might as well start using an expect script and safe me the money. This should have been possible years ago.
Sorry that SecureCRT is not meeting your expectations!

You mentioned that this is currently possible with Putty. What specific configuration are you using with putty that allows you to do what you want there? Is it the proxycommand feature?

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #6  
Old 08-16-2018, 06:31 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 937
Quote:
Originally Posted by sfxdana View Post
How I'll this handle password changes every 1.5 months. Will it ask to update the password?? Is it possible to set an default password that is send when password is asked?? Because changing 1000+ sessions autologon items every 1,5 months is definitely not an option.
I realize the configuration approach I'm about to describe doesn't come close to the desired behavior/functionality you have expressed, and I completely understand if you feel you need to move on to using a different product; I really don't want you to feel forced/coerced to do anything that would cause you frustration.

If we are able to implement feature(s) in SecureCRT that would match your requirements, we'll post here and let you know about it.

--Jake

---------------------------------------------------------------------
SecureCRT allows you to edit the properties of multiple sessions at once. See https://www.vandyke.com/support/tips/multisessions.html

When editing multiple sessions in bulk, the properties of the first session are shown in the Session Options window.

As you consider editing the Logon Actions portion of multiple sessions at once using this mechanism, the following is possible:
Quote:
IFF (IF and only iF):
  1. All of the sessions have the exact same number of Expect/Send rows, and
  2. You modify exactly one (and only one) value from either the Expect or the Send field and
  3. You are running SecureCRT 7.3 or newer (earlier versions of SecureCRT did not support this surgical logon actions modification capability)
Then that same value, if present in the other sessions, will also be changed without affecting the values of the other Logon Action rows.

WARNING: In every other scenario (e.g. if you're running a version of SecureCRT pre 7.3, or if you change more than one token element of the Logon Actions field), the result will be that all of the sessions being edited will have their Logon Actions' rows (Expect/Send fields and all) set to match every component of the first session's Logon Actions (the one that is visible as you're editing Session Options - Multiple)
This means that if you have a password saved in a Send field, and that password is present in the Send fields of other sessions currently being edited, changing only that password field will result in that password being updated in all of the sessions, without any of the other Expect or Send field values being modified/lost.

This graphic represents the concept of n sessions being edited in bulk, and the 'ssh user@...' portion of the Logon Actions (the Send field in row 1 of each session) has a unique host name different for each session.
  • The first session has: ssh user@secondary_host1.
  • The 2nd session has: ssh user@secondary_host2.
  • The pattern continues with a different hostname in the Send field of the 1st row of each session being edited all the way until the nth session which has: ssh user@secondary_hostn as the target.
The idea is to modify only one Expect or Send field in one row and nothing else. If that is what you do when editing sessions in bulk, then all of the sessions will be modified such that whatever Send or Expect value you changed will have that same old value updated to the new value, and the remaining Logon Action rows and their Send/Expect fields will remain as-is.

This allows you to set things up once, and then with a bulk-edit operation as I've described, you can update your password every 1.5 months as saved in that row in which it exists in the Send field of each session's Logon Actions.

Note: As a point of caution, in the event that you're unsure of how this works, and in case you inadvertently modify two fields instead of one, it is advised that you consider adopting the habit performing a Tools > Export Settings... prior to attempting such a change so that you can restore your Logon Actions if the bulk edit operation gets botched in error.


.
Attached Images
File Type: png SCRT_SessionOptions_LogonActions_EditMultipleBehavior.png (138.9 KB, 2274 views)
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support

Last edited by jdev; 09-05-2018 at 06:31 PM. Reason: Add qualifications for multi-session surgical logon actions editing (it's only available in 7.3 and newer versions!)
Reply With Quote
  #7  
Old 08-24-2018, 08:43 AM
sfxdana sfxdana is offline
Registered User
 
Join Date: Aug 2018
Posts: 4
Ok the option fixes the change password problem. But that is the only thing that this fixes.

I tried it your way in the hope I was able to edit my sessions via bash scripting. But all logon scripts are encrypted, at least in Config.personal where logon scipts are added to .ini.

So change 1000+ settings by hand is not an option for me. Yes you are able to change all sessions at the same time but I need to change every session by hand to use the correct hostname. For the "ssh user@hostname" line.

=======

OpenSSH has the option "ssh -t <user>@<jumphost> ssh <host>" This opens an pseudo terminal and gives you the output of the second ssh session.

Similair to the current Firewall/Session trick. But without the port forwarding.

For putty there are options to create a wraparound script that first logins to the jumphost and then sends a remote command.

But both don't have the functionality of SecureCRT (Unfortunately only with portforwarding)

What I basically want to do is add an firewall/Session you can select under each session. Where no port forwarding is used, but logon script type function is used without the logon script.

Setup sessions with jumphost (Configured as Firewall) and then send the command to ssh with information in the selected session.

It is possible to almost do it with python scripting, but you don't have the option to send a user/password stored in SecureCRT vault of the current session. This is the only function I miss in the scripting API. If that is possible then all problems are gone.

The logon script is almost usable, but editing 1000+ sessions by hand is not an option. And because of encryption unable to script.

But for now I will not renew if there isn't a solution for this.

As I said before this should have been possible long ago.
Reply With Quote
  #8  
Old 08-24-2018, 12:01 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 937
Quote:
Originally Posted by sfxdana View Post
OpenSSH has the option "ssh -t <user>@<jumphost> ssh <host>" This opens an pseudo terminal and gives you the output of the second ssh session.

Similair to the current Firewall/Session trick. But without the port forwarding.
Support for 'ssh -t' will not work the way you want it.

What you want is for SecureCRT to transparently connect you to the secondary host by executing a remote command through that host, somehow using a saved session's password to authenticate to that secondary host.

The fact is that SecureCRT's saved session passwords (as you currently have them configured) are only available for use by SecureCRT if SecureCRT is the one handling the SSH protocol negotiation with the SSH server.
SecureCRT could handle the username as part of the command (e.g. ssh -t %u@%h, where %u and %h are plugged in for you automatically based on the username and hostname of your saved session), but the handling of the password is a different story.

In your case -- because of the requirement to actually launch a third party ssh product on the jump host -- all protocol negotiation (key exchange, user auth, etc.) is done between the third party ssh client (being launched on the jump host) and the SSH server running on the secondary host.

What this means is that even if the "run ssh -t for me" capability had been added to SecureCRT long ago, it still wouldn't have helped you because SecureCRT would not have had the opportunity to supply the saved session's password needed for authentication between the jump host's 'ssh' client and the SSH2 service running on the secondary host. SecureCRT would still have to have provided some capability of waiting for a password prompt to come from the stdout of that remote process, send the password... then detect if that was successful/not (by looking for text evidence of failure)... followed by a prompt for you to enter another password, rinse and repeat until ultimately successful or the entire attempt was a failure). This doesn't even account for the interaction that would be required in order to present you with the...
"The authenticity of host 'w.x.y.z (w.x.y.z)' can't be established.
RSA key fingerprint is SHA256:blahblahblahblahblah.
Are you sure you want to continue connecting (yes/no)?"
... prompt which further complicates any implementation aimed at automating this interaction on your behalf.

As you can see, this isn't a simple or trivial undertaking. It is fraught with even more complexities associated with things like a) What if the jump host's ssh client doesn't reply in the way that I expect? b) What if the jump host's ssh client isn't able to reach the secondary ssh host?, c) What if there is no ssh program on the jump host?, d) What if the saved session doesn't even do password auth... what if it's public key (this would be impossible, by the way), and so on -- all examples of situations that could not be handled with protocol-level responses, message codes, etc. Instead, assumptions would need to be made which would inevitably break at some point.

Quote:
Originally Posted by sfxdana View Post
As I said before this should have been possible long ago.
I am not sure really how to address your point in light of this being the first time I'm aware of that you've requested this functionality... We can't go back in time to implement it for you (someone hasn't implemented that feature for us yet )

I have added a feature request on your behalf for the ability to "drive" a connection so that a saved session might be shoveled through another connection's remote execute stdin/stdout/stderr streams with a series of expect/send routines (built-in so that you wouldn't have to define them manually for each host) that would help you specifically in this type of scenario. While I am not in a position to say when, if ever, such a feature would be implemented, if a future version of SecureCRT were to become available that provides this functionality that you're looking for, we'll post news of it here. If you'd like to have email notification, you can send a quick email message to support@vandyke.com with a subject of "Notification request: Gateway shell driver firewall support like forum thread #13221.8"


I've also added a request on your behalf for the ability to programmatically define Logon Actions' Expect/Send sequences since that is the current point of pain for you and others facing a similar jump-host-doesn't-support-port-forwarding scenario. As with the other request I've added for you, I cannot guarantee when, if ever, this would be implemented, and I'm really sorry that SecureCRT doesn't meet your needs right now. If we are able to implement this feature, we'll post here in this forum. Same goes for this feature, if you or other forum readers would like personal email notification of this functionality, you can send an email message to support@vandyke.com with a subject of "Notification request: Ability to programmatically set Logon Actions described in forum thread #13221.8"

Update: Here's a workaround idea that just came to mind:
Quote:
Imagine a script which does the following as it iterates over all of your existing saved sessions:
  1. Checks the Firewall Name setting to see if this session uses another session. If not, we ignore the session and move on to the next session.
  2. If the current session uses a Firewall Name defined as another session, read in the Hostname from the firewall session and stash it in a strJumpHostName variable. Alternatively, if you only have one jump host, you could prompt for this at the beginning of the script or hard code it.
  3. Sets the current session's Firewall Name setting to None.
  4. Reads the current session's "Hostname" setting, storing the value in strHostname.
  5. Reads the current session's "Username" setting, storing the value in strUsername.
  6. Sets the current session's "Hostname" setting to the value stored in strJumpHostName
  7. Sets the current session's "Use Shell Command" D: value to: 00000001
  8. Sets the current session's "Shell Command" S: value to: ssh -t <value-of:$strUsername>@<value-of:$strHostname>
Once all the sessions have been modified as described above, then you'd edit the Default Session and:
  1. Set the saved password to be the one for the jump host (SSH2 category, then in Authentications list, select Password, then press the Properties... button.)
  2. Change the Logon Actions to be one single Expect/Send entry/row that has the:
    1. Expect field set to: ssword:
    2. Send field set to: <Secondary_host's_user-specific_password>
  3. Apply the change to all sessions
With this as your setup, you'd be in a position where you would be able to programmatically change your 1000+ sessions, and since your Logon Actions has only one entry which happens to be the same for all of your sessions (except the Jump Host session, where you would disable the "Automate logon" option), when the password changes for the secondary hosts, you'd simply edit the Default session and make the change to the Send field in the Logon Actions to update all of your sessions at once.
--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #9  
Old 08-30-2018, 01:41 PM
arana arana is offline
Registered User
 
Join Date: Feb 2012
Posts: 1
Re:
I followed this suggested method but not getting the results described in your post. I am only trying to update the row with password in the Logon Actions but when I go back to look at the individual session property I am noticing that my 1st row with the ssh command (which should be different for every session) all changed to the same value. FYI... I only have two values in my Logon Actions for all my sessions.
I am using Version 7.1.3

Last edited by jdev; 09-05-2018 at 05:56 PM. Reason: Complete link to image for clarity
Reply With Quote
  #10  
Old 08-30-2018, 02:48 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,020
Hi arana,

I am sorry to hear that. I hoped you backed up your sessions first. See this tip.

Quote:
FYI... I only have two values in my Logon Actions for all my sessions.
And was the field you were changing (I assume password) the same in all those sessions?

Version 7.1.3 is pretty old. The search and replace could have been handled differently than it is in the current version. Please check your upgrade eligibility here.

I would like to try to replicate your results though, so please list the explicit steps you have followed (without exposing any sensitive data).

Or, if you want to be more specific, send the info via email to support@vandyke.com (include "Attn Brenda - Forum Thread #13221" in the subject line).
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply

Tags
jumphost noforwarding


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 05:03 PM.