SSH Tunnel

Use an SSH tunnel to connect to databases

SSH bastion is a jump server (or gateway server) that gives access to databases within a private network using the SSH protocol.

How to connect via SSH Tunnel

  • When setting up a connector, choose to Connect via SSH Tunnel.
  • Copy the unique SSH Public Key
  • Setup a Streamkap user on your bastion host
  • Add the ssh-ed25519 key to the streamkap user on the bastion host
  • Add Streamkap IP Addresses to your allowed hosts.
  • Input bastion address into SSH Host
  • Input the username into SSH User

Why ssh-ed25519 keys vs RSA?

The Ed25519 algorithm has superior security characteristics and computational efficiency.

  • Robust Security: The Ed25519 algorithm is based on elliptic curve cryptography (ECC), providing a high level of security with a 128-bit security level. It offers strong resistance against brute force attacks, making it highly suitable for protecting your remote access credentials.
  • Smaller Key Size: Ed25519 keys are smaller than their RSA counterparts, reducing the storage and transmission overhead. Smaller keys also contribute to faster authentication times, improving overall connection speeds.
  • Fast Key Generation: Generating Ed25519 keys is faster compared to traditional RSA keys

How to Setup a Bastion Host

Setup Linux SSH Host

Log in to your SSH tunnel host and run the following commands:

-- Create group streamkap:
sudo groupadd streamkap  

  -- Create user streamkap:
sudo useradd -m -g streamkap streamkap  

-- Switch to the Streamkap user:
sudo su - streamkap  
 
-- Create the .ssh directory:
mkdir ~/.ssh  
-- Set permissions:
chmod 700 ~/.ssh  

-- Change to the .ssh directory:
cd ~/.ssh  

  --Create the authorized_keys file:
touch authorized_keys  

-- Set permissions:
chmod 600 authorized_keys  

-- Using the key given to you from Streamkap, add this to the authorized_keys file.
echo "<key>" >> ~/.ssh/authorized_keys

Once the user is created, you'll need to allow IP and port access in these two locations

  • Streamkap IP to your tunnel server's SSH port. See Streamkap IP Addresses
  • Your SSH tunnel server to your connector IP and Port

Setup Windows SSH Host

Log in to your SSH tunnel host and run the following commands:

  -- Create user streamkap:

net user streamkap <password> /add /comment:"Streamkap User" /passwordchg:no /passwordreq:no /logonpasswordchg:no  

-- Create group streamkap:

net localgroup streamkap-group /comment:"Streamkap Group" /add  

-- In Windows command prompt, switch to the SSH server directory.

cd C:\\ProgramData\\ssh\\ && start notepad .\\sshd_config  

-- Allow password authentication for the Streamkap user.

PasswordAuthentication yes  

-- Allow the Streamkap user to connect to the SSH server. Add the following line to the sshd_config file.

AllowUsers streamkap

-- If your Windows build is 1809 or later, comment out the following lines in the sshd_config file:
# Match Group administrators
# AuthorizedKeysFile **PROGRAMDATA**/ssh/administrators_authorized_keys

Save the sshd_config file.

-- Restart the agent and the sshd service. If the following command fails, you can restart from the Task Manager (Alt + Ctrl + Delete).

Restart-Service ssh-agent; Restart-Service sshd
-- Go into the SSH server using Windows VM.
ssh streamkap@<DNS Name>

  -- Create an .ssh folder in your home directory.
  mkdir .ssh

- Add an authorized_keys file if it does not exist
-- If your client is Windows PowerShell:

type nul > authorized_keys  
echo <streamkap-public-key> >> authorized_keys  
icacls C:\\Users\\streamkap\.ssh\\authorized_keys /inheritance:r  

-- If your client is Linux:

touch authorized_keys  
chmod 600 authorized_keys  
echo <streamkap-public-key> >> authorized_keys

If you're running PowerShell in elevated mode, your setup is complete.

If you're not running PowerShell in elevated mode, follow the instructions below.

-- Allow public key authentication
PubkeyAuthentication yes

-- Remove password authentication.
PasswordAuthentication no  
PermitEmptyPasswords no

Save the sshd_config file.

Verify that inheritance has been disabled and remove Administrator.

  • Right click on the authorized_keys file
  • Select Properties
  • Select the Security tab
  • Select Advanced
  • Verify that the bottom left reads Enable Inheritance, which means that inheritance is disabled
  • Remove Administrator from the file security permissions.

Restart the agent and the sshd service.

Restart-Service ssh-agent; Restart-Service sshd