Creating and Testing Secrets for Jumpbox Routes

Overview

This topic shows how to create secrets used for jump server routes by way of an extended example.

Please see Best Practices for Jumpbox Routes for creating hardened jump servers for use in jump server routes.

We use following scenario:

A target Ubuntu host is only accessible via an SSH proxyjump directive. The sequence is Secret Server to bastion01.thycotic.com to bastion02.thycotic.com to remote-hostname.thycotic.com, the target Ubuntu host.

As suggested in the Bastion Design Best Practices guide:

  • Both bastion hosts 01 and 02 have changed their default SSH ports for all incoming connections to 2222 and 3333, respectively.

  • Both use a single jump user, betty on bastion01 and wilma on bastion02.

  • Both users have SSH public key authentication enabled and have an /home/<username>/.ssh/authorized_keys file storing all the public keys.

You can connect to the target server without Secret Server from any SSH client using the following SSH command, with the built-in SSH ProxyJump directive -J and defined aliases:

$ ssh -J <jumpbox1>, <jumpbox2> <remote-host-target>

...with local ~/.ssh/config aliases configured this way:

Copy 
### First Jumpbox
Host jumpbox1
  HostName bastion01.thycotic.com
  Port 2222
  User betty
  IdentityFile /home/betty/.ssh/jumpbox1_ssh_rsa 
  
### Second Jumpbox
Host jumpbox2
  HostName bastion02.thycotic.com
  Port 3333

To replicate this jump scenario using Secret Server, we need to create three new secrets and a new jumpbox route, and then assign that route to the target secret. Once that is done, launching the remote-host-target secret is as simple as clicking the PuTTY launcher icon—the jumpbox route is automatically set up for you.

Task 1: Creating Jumpbox and Target Host Secrets

All three connections require SSH public key authentication.

  1. Create a new secret based on the Unix Account (SSH Key Rotation) template with these particulars:

    • Secret name: bastion01
    • Machine: bastion01.thycotic.com
    • Username: betty

  2. Upload or generate the private/public key pair. Set a passphrase if necessary.

  3. If the key pair is generated, save the public key on the secret to the user’s /home/betty/.ssh/authorized_keys file on the jumpbox.

  4. Create a second new secret also based on the Unix Account (SSH Key Rotation) template with these particulars:

    • Secret name: bastion02
    • Machine: bastion02.thycotic.com
    • Username: wilma

  5. Upload or generate the private/public key pair. Set a passphrase if necessary.

  6. If the key pair is generated, save the public key on the secret to the user’s /home/wilma/.ssh/authorized_keys file on the jumpbox.

  7. Create a third new secret also based on the Unix Account (SSH Key Rotation) template with these particulars:

    • Secret name: remote-host-target
    • Machine: remote-hostname.thycotic.com
    • Username: remote_user

  8. Upload or generate the private/public key pair. Set a passphrase if necessary.

  9. If the key pair is generated, save the public key on the secret to the user’s /home/remote_user/.ssh/authorized_keys file on the target host.

Task 2: Creating a Jumpbox Route with Secret Levels

See Creating and Editing Jump Server Routes for more on creating jumpbox routes.
  1. Create a new jumpbox route named flintstone.
  2. For level 1, select the bastion01 secret and choose 2222 as the port.
  3. For level 2, Select the bastion02 secret and choose 3333 as the port.

Task 3: Assigning a Jumpbox Route on the Target Secret

  1. Open the remote-host-target secret.

  2. Ensure SSH proxying is enabled (Security > Enable SSH Proxy) on the secret.

  3. Navigate to the secret’s Settings tab.

  4. Scroll down to edit the Jumpbox Route section.

  5. Select the Flintstone Route in the drop-down.

  6. Save your changes.

Task 4: Test Launching the Target Secret with PuTTY Launcher over SSH Proxy

  1. Open the remote target secret.

  2. Click the General tab.

  3. Click the PuTTY Launcher link to begin a new SSH proxy session with a jump server route. The launcher connects to the target via the jump server route:

    image-20211021094254871

Task 5: Test Launching the Target Secret with SSH Terminal

  1. Note the secret ID of your remote target secret.

  2. Using an SSH client, log in to SSH Terminal. See SSH Terminal Administration for details.

  3. Enter cat <secret id> to view the remote target secret's details:

    img

  4. Enter launch <secret id> to launch the remote target secret with a jumpbox route:

    image-20211021094628576

  5. You should now be connected to remote-hostname.thycotic.com as remote_user.

  6. Enter exit to return to the terminal.