Comments (2)
Hello,
Local, Remote and TCP forwarding are all disabled intentionally, because those features could be used to bypass security mechanisms in place, such as accessing (network-wise) to assets that should only be accessible through the bastion's logic, and bypassing full traceability, as in that case the bastion wouldn't know what's going on inside the local/remote/tcp forwards.
Now, the settings change you tried didn't work because the bastion is doing a protocol break, and when you're connecting to a remote server through it, there are actually 2 distinct SSH connections taking place, one between you and the bastion, and another one (started by the bastion on your behalf) between the bastion and the remote server, then those 2 connections are transparently "plugged" together. The -L
you're trying to use would only apply to the first connection, so it would expose the port 9090 of the bastion itself, not the port of the remote server. For this to work, a double port forward should take place: the bastion should also do a -L
to connect to the remote server. But as the bastion is a shared asset between a lot of accounts and teams, such ports forwards happening on the bastion could collide and users might be able to access port forwards opened by others, so that would be a security issue. This issue doesn't exist with a direct connection because there's no shared asset in the middle.
from the-bastion.
Thanks for this great explanation why port forwarding can't work.
About the need of accessing an http server from a non-exposed to internet machine, I will have to find something else.
from the-bastion.
Related Issues (20)
- Connection to the Bastion takes many seconds HOT 2
- SCP Failure - Error 255
- master can't sync with slave HOT 1
- Arista - Add ssh key on a switch with "from" pattern HOT 1
- An alternative method to log into bastion.
- Synchronization between master and slave HOT 6
- Use a global folder for ttyrec sessions HOT 1
- SFTP plugin instead of SCP on recent OpenSSH versions HOT 2
- Login with user@domain HOT 2
- Accepting [email protected] for ingress key HOT 1
- Upgrade errors: [ERR.] <x> doesn't seem to be a valid bastion group HOT 1
- User suffix for device/network HOT 3
- pam-u2f in code or a configuration to do ? HOT 3
- Error when installing with ttyrec HOT 4
- Disable MFA verification when using an SK
- Feature Request: `*-sk` keys supporting PIV-like policies HOT 1
- [Question] disable ttyrec for SCP HOT 8
- SCP freezes wthen downloading large files: HOT 4
- Support for OIDC auth method
- Feature Request: auto accept keys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from the-bastion.