[kwlug-disc] Using SSH to authenticate

unsolicited unsolicited at swiz.ca
Sat Mar 13 17:00:11 EST 2010

Following Richard's notes:

The assumptions are you are ssh'ing in to work (say), so RelayHost and 
TargetHost are on the same network, RelayHost can get to / has 
permission to get to RelayHost, and HomeHost is on some other network.

Once you ssh to RelayHost as Richard shows, you then ssh localhost, 
which will be TargetHost by then.

You are doing all this because TargetHost is not directly accessible 
from the world. Thus all traffic must pass through RelayHost - it's 
the only thing publicly accessible.

The only other way you might do this is to have TargetHost reverse ssh 
(?) you back. Which, actually, is what I think Raul does - he has his 
Dad ssh him, then Raul ssh's back through that tunnel in to do his stuff.

	How you accomplish this may be problematic. i.e. You either cron or 
have to get to TargetHost to tell it to initiate the connection to you 
at HomeHost.

	Having accomplished that reverse connection, you may be able to kill 
your original connection to RelayHost, but I expect you'd have to be 
careful to background or fork properly, or the dropping of the 
connection from you to RelayHost may in turn drop the connection from 
TargetHost to HomeHost. In Raul's case above, his Dad dropping the 
connection would drop him - since he's travelling back through that 
initial tunnel.

I do wonder, if RelayHost is flaky and intermittent ... why use it?

The other, easier way to do this would be to open a port on the 
firewall redirecting some port, e.g. 8022, to port 22 on TargetHost, 
bypassing RelayHost entirely.

	That's not kosher 'officially', i.e. you directly expose another 
machine to the big, bad world, but it is common practice. (Rather than 
a DMZ, etc.)

	You can minimize the exposure by using certificates and denying all 
other forms of authentication.

Richard Weait wrote, On 03/13/2010 4:14 PM:
> On Sat, Mar 13, 2010 at 2:49 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:
>> I don't have the vocabulary to explain this question clearly, so
>> please bear with me (and tell me what vocabulary I should be using).
>> Say I have three hosts:
>>  - HomeHost, which is my main machine. I have root on this machine if
>>    I need it.
>>  - RelayHost, which has a slow, laggy connection. I have a regular
>>    user account on this.
>>  - TargetHost, which is the machine where I want to work. I have a
>>    regular user account on this machine.
>> My end goal is to make a connection from HomeHost -> TargetHost.
>> However, I only have permission (via SSH whitelisting or whatever) to
>> make a connection from RelayHost -> TargetHost.
>> One possibility is to make an SSH connection from HomeHost ->
>> RelayHost, and then SSH from RelayHost -> TargetHost . But since
>> RelayHost is slow and laggy, my experience will be frustrating.
>> Is there some SSH (or other) magic that I can use to make a direct
>> connection from HomeHost -> TargetHost without the packets needing to
>> go through RelayHost?
>> I have a feeling this topic was covered during one of those bits of
>> Raul's presentation I did not understand very well, but I am not sure.
> The quick and dirty is to
> ssh pauln at RelayHost, then from there,
> ssh pauln at TargetHost
> The "right answer" sounds like a job for "-L" to me.  IIRC,
>>From HomeHost
> ssh -L 22:TargetHost:22 pauln at RelayHost
> -L 22:TargetHost:22 is resolved after the connection to RelayHost, and
> refers to incoming local port number: and :destination port number.
> You will need root on RelayHost to use privileged local port?
> This needs better examples than the following.
> http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Local_And_Remote_Forwarding.html
> And please note the IIRC.
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org

More information about the kwlug-disc mailing list