Device access via a jumper server

Device access via a jumper server

Is there a way to for Indeni to access devices via a jump server/jumpbox?

Indeni ----> jumpbox ----> device

From the Indeni server I can ssh to the jump server and then ssh to the devices. I also can create a script to access the devices via the jump server from the Indeni server. Can I integrate this script into the Indeni interrogation scripts? Or can I configure ssh passthrough or ssh tunneling between the Indeni server and the jumpbox? Has anyone done anything like this with Indeni?

I would think that this is possible, but you would need to configure a different port for each destination.

Something like

Indeni -> port 2222 -> jumpbox -> port22 > device1
Indeni -> port 2223 -> jumpbox -> port 22 -> device2

This should be possible using iptables or something similar to create a NAT which translates the port 2222 and IP of the jumpbox to port 22 and the IP of device1.

So where can I modify Indeni to allow for additional ssh parameters. To connect to the device, via the jumpbox, Indeni will have to execute something like the following:

ssh -L

I see where I can change the ssh port in Indeni, but where would I enter the jumpbox hostname and the password/username for the jumpbox.

I was curious about this so I did some research, you can use iptables for this. It's installed on the Indeni VM too. I tried this:

indeni@indeni-server:~$ sudo iptables -t nat -A OUTPUT -p tcp --destination --dport 22 -j DNAT --to-destination
indeni@indeni-server:~$ ssh
The authenticity of host ' (' can't be established.
RSA key fingerprint is c9:9d:a6:a0:0b:b6:d5:07:3c:d1:eb:92:c0:a7:13:97.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
indeni@'s password:
Last login: Wed Oct 4 17:19:47 2017 from
[Expert@lab-CP-GW1]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:56:90:EB:07
inet addr: Bcast: Mask:

So in your case, you can add a line for each of the devices, alternating the destination IP ( in my example above) and changing the port (the ":22" at the end). NOTE that some devices that Indeni connects to require more than just SSH - they may require HTTTPS/443 too.

Also, this can be a bit of a hassle when adding devices. You'll need to add a line in iptables, matching ports in the jump server and then add it in the UI. This is something you can script though :)

I guess I am not totally following your example here. In the example are you going through the jump server to reach the device being managed? Of course, I know which box is the Indeni server. Is lab-CP-GW1 the jump server or the device being managed?

This is off the topic. Deron, I noticed that you mentioned you can change the ssh port from indeni. Can you share how? The only way I can think of is via iptable...