Open Stack

Hi,

Le 2015-03-08 11:57, Mohammad alizadeh a écrit :
> Hi experts,
> I have a security issue in my last Openstack deployment.
> As an enforced security policy, my Datacenter firewall blocks every ssh
> requests except those sent to one valid IP address(specific machine in
> DMZ). So, by this rule  customers can not access to their instances via
> ssh. Is there a way to allow customers to connect to their instances
> remotely via ssh? How can I use this single ssh-allowed machine to
> connect customers to their instances via ssh?(maybe using VPN or other
> techniques)?

A dedicated VPN box could be a solution, but requires more ports open on 
your DMZ firewall and a bit of work to get server as well as clients 
running.

You can also setup additional accounts on the box that has SSH allowed 
and let customers use those as a jump-box.
 From there they may reconnect to their own boxes.

They may automate it a bit by putting something similar to the following 
in their .ssh/config

Host VM_HOST
   ProxyCommand ssh JUMP_BOX -W %h:%p

This approach has security implications, as your customers technically 
have access to your server's shell.
You may restrict that by allowing only the ssh command in their 
public_key entry of .ssh/authorized_keys (on jump-box). This may require 
some more work as in 
http://binblog.info/2008/10/20/openssh-going-flexible-with-forced-commands/. 
Also they need to use ssh keys.

Finally, if only one IP is allowed through your firewall, I guess that 
the security guys want to prevent entry. Thus circumventing the rule by 
proxying the connections does not look like the best way to go. Maybe 
re-evaluating customer needs with the security team would help finding a 
better solution to the problem.

HTH.

--

Ahmed R.