Device access via a jumper server

Deron_Ringen · September 27, 2017, 1:16am

Is there a way to for Indeni to access devices via a jump server/jumpbox?

Indeni ----> jumpbox ----> device

From the Indeni server I can ssh to the jump server and then ssh to the devices. I also can create a script to access the devices via the jump server from the Indeni server. Can I integrate this script into the Indeni interrogation scripts? Or can I configure ssh passthrough or ssh tunneling between the Indeni server and the jumpbox? Has anyone done anything like this with Indeni?

Johnathan_Browall_No · September 27, 2017, 6:44pm

I would think that this is possible, but you would need to configure a different port for each destination.

Something like

Indeni -> port 2222 -> jumpbox -> port22 > device1
Indeni -> port 2223 -> jumpbox -> port 22 -> device2

This should be possible using iptables or something similar to create a NAT which translates the port 2222 and IP of the jumpbox to port 22 and the IP of device1.

Deron_Ringen · September 28, 2017, 10:47pm

So where can I modify Indeni to allow for additional ssh parameters. To connect to the device, via the jumpbox, Indeni will have to execute something like the following:

ssh -L 2222:device.net.com:22 [email protected]

I see where I can change the ssh port in Indeni, but where would I enter the jumpbox hostname and the password/username for the jumpbox.

Yoni_Leitersdorf · October 4, 2017, 6:21pm

I was curious about this so I did some research, you can use iptables for this. It's installed on the Indeni VM too. I tried this:

indeni@indeni-server:~$ sudo iptables -t nat -A OUTPUT -p tcp --destination 1.1.1.1 --dport 22 -j DNAT --to-destination 192.168.197.36:22
indeni@indeni-server:~$ ssh 1.1.1.1
The authenticity of host '1.1.1.1 (1.1.1.1)' can't be established.
RSA key fingerprint is c9:9d:a6:a0:0b:b6:d5:07:3c:d1:eb:92:c0:a7:13:97.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '1.1.1.1' (RSA) to the list of known hosts.
[email protected]'s password:
Last login: Wed Oct 4 17:19:47 2017 from 192.168.197.15
[Expert@lab-CP-GW1]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:56:90:EB:07
inet addr:192.168.197.36 Bcast:192.168.197.255 Mask:255.255.255.0
...

So in your case, you can add a line for each of the devices, alternating the destination IP (1.1.1.1 in my example above) and changing the port (the ":22" at the end). NOTE that some devices that Indeni connects to require more than just SSH - they may require HTTTPS/443 too.

Also, this can be a bit of a hassle when adding devices. You'll need to add a line in iptables, matching ports in the jump server and then add it in the UI. This is something you can script though :)

Deron_Ringen · October 5, 2017, 11:18pm

I guess I am not totally following your example here. In the example are you going through the jump server to reach the device being managed? Of course, I know which box is the Indeni server. Is lab-CP-GW1 the jump server or the device being managed?

JZ1 · October 6, 2017, 3:35pm

This is off the topic. Deron, I noticed that you mentioned you can change the ssh port from indeni. Can you share how? The only way I can think of is via iptable...