[kwlug-disc] Using SSH to authenticate
unsolicited
unsolicited at swiz.ca
Sat Mar 13 17:00:11 EST 2010
Following Richard's notes:
The assumptions are you are ssh'ing in to work (say), so RelayHost and
TargetHost are on the same network, RelayHost can get to / has
permission to get to RelayHost, and HomeHost is on some other network.
Once you ssh to RelayHost as Richard shows, you then ssh localhost,
which will be TargetHost by then.
You are doing all this because TargetHost is not directly accessible
from the world. Thus all traffic must pass through RelayHost - it's
the only thing publicly accessible.
The only other way you might do this is to have TargetHost reverse ssh
(?) you back. Which, actually, is what I think Raul does - he has his
Dad ssh him, then Raul ssh's back through that tunnel in to do his stuff.
How you accomplish this may be problematic. i.e. You either cron or
have to get to TargetHost to tell it to initiate the connection to you
at HomeHost.
Having accomplished that reverse connection, you may be able to kill
your original connection to RelayHost, but I expect you'd have to be
careful to background or fork properly, or the dropping of the
connection from you to RelayHost may in turn drop the connection from
TargetHost to HomeHost. In Raul's case above, his Dad dropping the
connection would drop him - since he's travelling back through that
initial tunnel.
I do wonder, if RelayHost is flaky and intermittent ... why use it?
The other, easier way to do this would be to open a port on the
firewall redirecting some port, e.g. 8022, to port 22 on TargetHost,
bypassing RelayHost entirely.
That's not kosher 'officially', i.e. you directly expose another
machine to the big, bad world, but it is common practice. (Rather than
a DMZ, etc.)
You can minimize the exposure by using certificates and denying all
other forms of authentication.
Richard Weait wrote, On 03/13/2010 4:14 PM:
> On Sat, Mar 13, 2010 at 2:49 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:
>> I don't have the vocabulary to explain this question clearly, so
>> please bear with me (and tell me what vocabulary I should be using).
>>
>> Say I have three hosts:
>> - HomeHost, which is my main machine. I have root on this machine if
>> I need it.
>> - RelayHost, which has a slow, laggy connection. I have a regular
>> user account on this.
>> - TargetHost, which is the machine where I want to work. I have a
>> regular user account on this machine.
>>
>> My end goal is to make a connection from HomeHost -> TargetHost.
>> However, I only have permission (via SSH whitelisting or whatever) to
>> make a connection from RelayHost -> TargetHost.
>>
>> One possibility is to make an SSH connection from HomeHost ->
>> RelayHost, and then SSH from RelayHost -> TargetHost . But since
>> RelayHost is slow and laggy, my experience will be frustrating.
>>
>> Is there some SSH (or other) magic that I can use to make a direct
>> connection from HomeHost -> TargetHost without the packets needing to
>> go through RelayHost?
>>
>> I have a feeling this topic was covered during one of those bits of
>> Raul's presentation I did not understand very well, but I am not sure.
>
> The quick and dirty is to
>
> ssh pauln at RelayHost, then from there,
> ssh pauln at TargetHost
>
> The "right answer" sounds like a job for "-L" to me. IIRC,
>
>>From HomeHost
> ssh -L 22:TargetHost:22 pauln at RelayHost
>
> -L 22:TargetHost:22 is resolved after the connection to RelayHost, and
> refers to incoming local port number: and :destination port number.
> You will need root on RelayHost to use privileged local port?
>
> This needs better examples than the following.
>
> http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Local_And_Remote_Forwarding.html
>
> And please note the IIRC.
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
More information about the kwlug-disc
mailing list