Bastionhost:Best practices to audit scp-based operations by using Bastionhost

Procedure

1. Log on to the terminal interface of your computer.

2. Run the following command to create a .ssh directory:

   mkdir ~/.ssh

3. Store the ssh_config file in the ~/.ssh directory.

   If the ssh_config file does not exist on your computer, you must create an ssh_config file.

4. Run the following command to modify the ssh_config file.

   vi ~/.ssh/ssh_config

   The following sample code provides a template for you to modify the ssh_config file. You can copy and paste the following code to the file and then modify the file:

   # The alias of the bastion host. If the bastion host does not have an alias, delete this configuration.
   Host __USM__
   # The username of the bastion host. The value can be a local account, an Active Directory (AD) account, a Lightweight Directory Access Protocol (LDAP) account, or a Resource Access Management (RAM) user.
   User 136********
   # The IP address of the bastion host.
   Hostname 120.55.XX.XX
   # The port.
   Port 60022
   
   # Server 1.
   # The alias of Server 1. If the server does not have an alias, delete this configuration.
         Host cylinux123
   # The IP address of Server 1.
        Hostname 192.168.XX.XX
   # The port of Server 1.
        Port 22
   
   # Server 2 . If you have only one server, delete this server.
   # The alias of Server 2. If the server does not have an alias, delete this configuration.
         Host cylinux123
   # The IP address of Server 2
        Hostname 192.168.XX.XX
   # The port of Server 2
        Port 22
   
   # The destination server.
   Host 1* 2* 3* 4* 5* 6* 7* 8* 9*
   # Disable key verification.
   PubkeyAuthentication no
   
   # Set the bastion host as a proxy. You can copy the following proxy configurations: 
   ProxyCommand ssh -F /root/.ssh/ssh_config -A -q __USM__ -W %h:%p
   Host a* b* c* d* e* f* h* i* j* k* l* m* n* o* p* q* r* s* t* u* v* w* x* y* z*
   PubkeyAuthentication no
   ProxyCommand ssh -F /root/.ssh/ssh_config -A -q __USM__ -W %h:%p
   Host A* B* C* D* E* F* H* I* J* K* L* M* N* O* P* Q* R* S* T* U* V* W* X* Y* Z*
   PubkeyAuthentication no

   You must modify the following configurations:

   • Configurations of the bastion host

     • The username of the bastion host.

     • The O&M address of the bastion host.

     • The O&M port of the bastion host. The default value is 60022.

   • Configurations of the servers

     • If you do not specify an alias for the bastion host on your computer, you must modify the IP addresses and ports of the servers. By default, port 22 is used for SSH connections.

     • If you specified an alias for a single server on your computer, you must modify the alias, IP address, and port of the server. By default, port 22 is used for SSH connections.

     • If you specified aliases for multiple servers on your computer, you must specify the alias, IP address, and port of each server as a whole, and modify the configurations for each server in sequence.

5. Run one of the following commands to upload or download the ssh_config file to a server:

   • Upload the file

     scp -F .ssh/ssh_config filename root@192.168.XX.XX:/ (By default, the uploaded file is in the root directory.)

   • Download the file

     scp -F ~/.ssh/ssh_config root@192.168.XX.XX:/filename /root

   Note

   If the "ssh_exchange_identification: Connection closed by remote host" error message appears when you connect to the server from your computer, delete the ~/.ssh/known_hosts file and run the preceding command to reconnect to the server.

   Related commands

   • ssh command for O&M:

     ssh -F ~/.ssh/ssh_config root@192.168.XX.XX (The value is in the following format: Server account@IP address or alias.)

   • rsync command for uploading:

     rsync -e "ssh -F /root/.ssh/ssh_config" -avp filename root@192.168.XX.XX:/

   • rsync command for downloading:

     rsync -e "ssh -F /root/.ssh/ssh_config" -avp root@192.168.XX.XX:/filename /root