Forward some external port through to the server that will be the SSH jump server. On a Mikrotik this is probably just a NAT rule and a port rule:
/ip firewall nat add action=dst-nat chain=dstnat comment="SSH Jump" dst-port=22 in-interface=ether1 log=yes log-prefix=ssh protocol=tcp to-addresses=172.29.14.196 to-ports=22
/ip firewall filter add action=accept chain=forward comment="SSH Jump" dst-port=22 in-interface=ether1 log=yes log-prefix=ssh protocol=tcp
Adjust for the correct IP, port and interfaces as appropriate.
Edit the /etc/ssh/sshd_config
file and only allow cert-based authentication. You might want to do this after you've managed to get the public key into the authorized_keys file, if you don't have other methods to get onto the server.
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no
Restart sshd.
yubikey.pem
)openssl x509 -pubkey -in yubikey.pem -noout > yubikey.pub
ssh-keygen -i -f yubikey.pub -mPKCS8 > yubikey.openssh.pub
PS> CD C:\Program Files\OpenSC Project\OpenSC\tools
2
):
PS> pkcs11-tool.exe --list-slots
Slot 2 (0x9): Yubico YubiKey OTP+FIDO+CCID 0
01
):
PS> .\pkcs15-tool.exe --reader 2 -k
Private EC Key [PIV AUTH key]
Object Flags : [0x01], private
Usage : [0x04], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 384
Key ref : 154 (0x9A)
Native : yes
Auth ID : 01
ID : 01
MD:guid : 0x'43......023220000000000000000'
PS> .\pkcs15-tool.exe --reader 2 --read-ssh-key 01
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYdItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIsN6+cMvpGvqDHbfcG1hjN5xL75yf+++76D7AlE9GYMs3VrIQXL9serER9qCrjZNxhldK/J6sFB/QWivmCcgqqKaHoIhew0dtKM037QWM/BdSvZ0ZupPNZCLcsu7IC7og== PIV AUTH pubkey
~/.ssh/authorized_keys
file on the jump serverC:\Program Files\OpenSC Project\OpenSC\pkcs11
and select opensc-pkcs11.dll
Homelab
)
your remote username
45543
(or any convenient free local port)blank
Dynamic
ANSI Blue
to something not ridiculously dark like the default. 166 166 255
works quite nicelyOnce connected to the SSH session it will be possible to utilise the connection as a SOCKS5 proxy. In Firefox this is made easy using the FoxyProxy extension.
HomeLabSSH
Proxy Type: SOCKS5
IP: 127.0.0.1
Port: 45543
(or whatever was put into the PuTTY config earlier)
Username: blank
Password: blank
Home Domain
, Pattern: *.home.cylindric.net
Home Domain (all ports)
, Pattern: *.home.cylindric.net:*
Home IP
, Pattern: 172.29.14.*
Home IP (all ports)
, Pattern: 172.29.14.*:*