Support jump-server configuration #9
Description
Tlog cannot be used to record superuser sessions securely. For those sessions
another approach should be used, such as jump server. In a jump-server setup
the user first logs in to a machine which records all the terminal I/O, and
then from that machine he/she logs in to the target machine.
This allows recording terminal I/O securely. Still, audit logs need to be
collected on the target machine, and will remain authentic only until the
point when the superuser decides to circumvent them. Even though it seems like
a partial solution, it is still useful.
The jump-server setup can be done by putting a sort of "captive portal" on the
jump server, only allowing the user to interact with a program selecting which
server to log in to. This approach is used by e.g.
https://github.com/aker-gateway/Aker.
Another approach can be similar to "virtual hosting" and NAT, where a single
jump server can have a number of IP addresses on the external interface,
mapped one-to-one to addresses of the protected servers, perhaps aided by
split DNS views. When users would log in to one of those external addresses,
the jump server would know which server the user wanted to reach and can start
recording and initiate further SSH connection to the protected server
automatically.
The challenge here is how to then link such session recordings to the session
on the target server, for both the terminal I/O and audit logs.
For specific user requirements and typical jump-server setups we can contact
@anazmy, the author of Anker, linked above.