Start a new topic

Secure Gateway - Remote SSH Command Option

We use a jump/relay server to connect to all of our systems. Unfortunately, it doesn't provide an SSH shell, so we can't use the existing Secure Gateway object. What it does allow is specific remote shell commands. I can already do this per terminal connection but it would be really nice to just point them all to a single configured Secure Gateway with the proper configuration.

Can a form of the Secure Gateway be added that is essentially just an SSH connection that passes a specific remote command based on the source terminal connection values?


Hi Ryan,


I'm afraid this is not possible. The terminal connection and the secure gateway connection have completely different properties and are also on very different levels in the object hierarchy. Would it be sufficient if we provide an optional SSH remote command to the secure gateway object and set that (when the secure gateway supports this option)?


Regards,
Stefan

Stefan, I think that would work, I'd just have to test it.

Hi Ryan,


can you provide examples what kind of remote commands you want to execute on the secure gateway when the tunnel is established?


Thanks!

Stefan

The only 2 commands we use today are the following.

<username>@<hostname>

<username>@<hostname>/usr/libexec/openssh/sftp-server


These allow us to tell the "gateway" which username/host we want to connect to and if our passed credentials have access to those target devices it connects us. The 2nd command allows sftp connections instead of a shell.

Hi Ryan,


thanks for the examples.


Command 1: if I'm not mistaken you can use the dependent gateway feature to "chain" gateways: https://www.royalapps.com/blog/dependent-gateways

Command 2: I'm not sure if this would work because the gateway is used for local port forwarding. Executing a command like this in the gateway object wouldn't make any sense as there's no such thing as the shell for the gateway object.


Maybe I'm missing something. If so, maybe you can provide more details about the use case including screenshots, etc. Feel free to open a support ticket with the details if you don't want to share screenshots publicly.


Regards,
Stefan

I think that's the problem. We can't actually tunnel through our gateway. We have to establish an actual terminal connection to the gateway we use so our entire session can be logged. That's why we have to execute a remote command on the server. It uses the credentials we connect to it with, to also determine if we have the rights to connect to the target server.


We do this today by having all the terminal connections URI actually the "gateway", naming the connection the target server, and putting the target server in the remote command field. If it was possible to have a "gateway" they used that was just a remote command that utilized reference values such as $URI$ etc, we could much more easily point servers to specific gateways (we have different ones depending on the region of the world they're in etc.)


We recently went through some port and hostname changes for our gateways and it was an absolute bear updating all of the individual connections. If they were just pointing at a gateway object it would have been a single update.


It may not be possible with the current implementation, was just hoping. :)

Yeah, I think that's not possible. Secure Gateway connections are only for local port forwarding. There's no shell involved as far as I know. I'm afraid, this cannot be done using the Secure Gateway functionality. Regarding the update process: not sure if it's worth the effort, but you could write a PowerShell script which updates all your connections accordingly or you could explore Dynamic Folders and create those connections dynamically based on some datasource.

Thanks Stefan. We do have some dynamic folder functionality setup. I'll try to start relying on it a little more. :)

Login or Signup to post a comment