TG is the greatest ssh bridge ever ! An SSH bridge, also known as SSH bastion or SSH gateway acts as proxy to handle your SSH connections.
First of all, you must have an SSH key on your current machine.
If you don't, create one from your current machine (make sure you provide a password when it asks for one):
ssh-keygen -t rsa -b 4096
Connect to your future bastion server as root (important) :
Install dependencies:
Debian:
apt-get install openssh-server git libjson-perl libemail-mime-perl libdatetime-perl libemail-sender-perl libemail-mime-creator-perl libjson-xs-perl libwww-perl screen libconvert-base32-perl libauthen-oath-perl
Clone repo in a directory (ex: /opt/tg)
git clone [email protected]:root-gg/tg.git /opt/tg
Create a new user without password and with the tg cache program as shell :
adduser --system --shell /opt/tg/cache --group --disabled-password --home /home/YOURUSER YOURUSER
Replace YOURUSER by the username of your choice.
Now, you must create an SSH key to YOURUSER (this one will be without passphrase) :
sudo -u YOURUSER ssh-keygen -t rsa -b 4096 -N ''
Add your SSH key in /home/YOURUSER/.ssh/authorized_keys If this file does not exist, create it:
touch /home/YOURUSER/.ssh/authorized_keys
And change his owner to YOURUSER
chown YOURUSER: /home/YOURUSER/.ssh/authorized_keys
Try to connect to your bastion host with your key :
This part requires your bastion server to be installed and it must be done on each client you are using.
Choose one of these two methods for each client to fit your needs
First of all, try to connect to your bastion host with your key :
Clone tg in a folder (ex: ~/bin/tg) :
mkdir ~/bin
git clone [email protected]:root-gg/tg.git ~/bin/tg
Change your PATH to add ~/bin/tg :
echo 'export PATH="~/bin/tg::$PATH"' >> ~/.bashrc
Restart your shell !
Initialize TG client :
tg --init
Answer each question according to your bastion server.
Replace YOURUSER by your bastion username and YOURBASTIONHOST by your bastion hostname.
Add tg alias to your bashrc :
echo 'alias tg="ssh -t -t YOURUSER@YOURBASTIONHOST --"' >> ~/.bashrc
Restart your shell !
Try the bastion is working :
tg -ls
If it displays beautiful lines with colors and such, you're good to go !
Optional : Change the default bastion user to root (to connect as root to your servers, by default) :
tg -su root
Main help (quite ugly and incomplete at this time):
tg -h
tg -ls
Replace myserver.mydomain.com by the hostname of the server you want to add
Add host :
tg -a myserver.mydomain.com
Automagically push bastion SSH key to your host (you must provide host password for this) :
tg -ak myserver.mydomain.com
Now you can connect to your host :
tg myserver.mydomain.com
Replace myserver.mydomain.com by your hostname and myalias by the alias you want
tg myserver.mydomain.com is a bit long to type, let's make an alias for this one
Add your host alias :
tg -aa myhostalias myserver.mydomain.com
Now you can connect to your host this way :
tg myalias
When you are pretty soon using a specific command on a host, tg myalias and then mycommand -foo bar is a bit long to type, let's make an alias for this one
Add your command alias :
tg -aca mycommandalias myhostalias -- mycommand -foo bar
Now you can connect run your command on the host this way :
tg mycommandalias
This is used if you want to SSH to your hosts through TOR (if you are a privacy extremist or something...).
On your bastion server, install this dependancy :
apt-get install netcat-openbsd
Debian: On your bastion server, install tor client by following this procedure : https://www.torproject.org/docs/debian.html.en Or, use this quick-win command:
apt-get install tor
Replace myserver.mydomain.com by your hostname
Now you can connect to your hosts through tor this way :
tg -tor myserver.mydomain.com
Replace [email protected] by your mail adress
Enable two factor authentication by mail :
tg -se [email protected]
Now, when you use tg for the first time from a new ip adress, you will need a two-factor authentication code. This code will be sent to you by mail to verify your identity. If two factor authentication with Google Authenticator is also enabled, you can enter one of the two codes.
Follow the instructions to enable two factor authentication with Google Authenticator :
tg -sa
Now, when you use tg for the first time from a new ip adress, you will need a two-factor authentication code. This code will be sent to you by mail to verify your identity. If two factor authentication by mail is also enabled, you can enter one of the two codes.