Sometimes we will need to give access to certain resources on a network from a jump host ( jumphost, bastion host, stepping stone ), without the users having an interactive shell on the same jump host.

In these cases we can use SSH , together with some configurations to obtain this result.

First we create the hop user, assign him a password and leave him with a restricted shell, so that in case something does not work as it should, the user is completely isolated from the system.

useradd jumper --home-dir=/tmp --shell=/bin/rbash
Shell

Then we will restrict its capabilities also from the SSH service itself. We will add to the /etc/ssh/sshd_config file the following section:

Match User jumper
    AllowAgentForwarding no
    AllowTCPForwarding yes
    X11Forwarding no
    PermitTunnel no
    GatewayPorts no
    ForceCommand echo 'Solo salto! (ssh -J)'
Text

And we will restart the service to apply the changes:

systemctl restart sshd.service
Shell

Now we will be able to use this user to use the jump machine, only compo jump, without the possibility of logging in.

ssh J jumper@bastion usuario@destino
Shell