[kwlug-disc] Using SSH to authenticate

Raul Suarez rarsa at yahoo.com
Sat Mar 13 22:11:20 EST 2010


Doing the reverse connection may be a good option to bypass any white listing. You need SSH in Home.

It's a bit cumbersome but you may be able to automate it later

Here is the step by step

All this in the same console
1. Connect to relay
ssh pauln at RelayHost

2. Connect from relay connect to target
ssh pauln at TargetHost

3. Connect from target to Home opening a reverse ssh tunnel
ssh -L50022:localhost:22 pauln at HomeHost

Open a different console in HomeHost
4. connect from HomeHost to target using the tunneled port
ssh -p 50022 pauln at localhost

As I said I am sure that steps 1 to 3 can be done with a single command.

Raul Suarez

Technology consultant
Software, Hardware and Practices
_________________
http://rarsa.blogspot.com/ 
An eclectic collection of random thoughts


--- On Sat, 3/13/10, unsolicited <unsolicited at swiz.ca> wrote:

> From: unsolicited <unsolicited at swiz.ca>
> Subject: Re: [kwlug-disc] Using SSH to authenticate
> To: "KWLUG discussion" <kwlug-disc at kwlug.org>
> Received: Saturday, March 13, 2010, 5:00 PM
> Following Richard's notes:
> 
> The assumptions are you are ssh'ing in to work (say), so
> RelayHost and TargetHost are on the same network, RelayHost
> can get to / has permission to get to RelayHost, and
> HomeHost is on some other network.
> 
> Once you ssh to RelayHost as Richard shows, you then ssh
> localhost, which will be TargetHost by then.
> 
> You are doing all this because TargetHost is not directly
> accessible from the world. Thus all traffic must pass
> through RelayHost - it's the only thing publicly
> accessible.
> 
> The only other way you might do this is to have TargetHost
> reverse ssh (?) you back. Which, actually, is what I think
> Raul does - he has his Dad ssh him, then Raul ssh's back
> through that tunnel in to do his stuff.
> 
>     How you accomplish this may be
> problematic. i.e. You either cron or have to get to
> TargetHost to tell it to initiate the connection to you at
> HomeHost.
> 
>     Having accomplished that reverse
> connection, you may be able to kill your original connection
> to RelayHost, but I expect you'd have to be careful to
> background or fork properly, or the dropping of the
> connection from you to RelayHost may in turn drop the
> connection from TargetHost to HomeHost. In Raul's case
> above, his Dad dropping the connection would drop him -
> since he's travelling back through that initial tunnel.
> 
> I do wonder, if RelayHost is flaky and intermittent ... why
> use it?
> 
> The other, easier way to do this would be to open a port on
> the firewall redirecting some port, e.g. 8022, to port 22 on
> TargetHost, bypassing RelayHost entirely.
> 
>     That's not kosher 'officially', i.e. you
> directly expose another machine to the big, bad world, but
> it is common practice. (Rather than a DMZ, etc.)
> 
>     You can minimize the exposure by using
> certificates and denying all other forms of authentication.
> 
> Richard Weait wrote, On 03/13/2010 4:14 PM:
> > On Sat, Mar 13, 2010 at 2:49 PM, Paul Nijjar <paul_nijjar at yahoo.ca>
> wrote:
> >> I don't have the vocabulary to explain this
> question clearly, so
> >> please bear with me (and tell me what vocabulary I
> should be using).
> >> 
> >> Say I have three hosts:
> >>  - HomeHost, which is my main machine. I have
> root on this machine if
> >>    I need it.
> >>  - RelayHost, which has a slow, laggy
> connection. I have a regular
> >>    user account on this.
> >>  - TargetHost, which is the machine where I
> want to work. I have a
> >>    regular user account on this
> machine.
> >> 
> >> My end goal is to make a connection from HomeHost
> -> TargetHost.
> >> However, I only have permission (via SSH
> whitelisting or whatever) to
> >> make a connection from RelayHost ->
> TargetHost.
> >> 
> >> One possibility is to make an SSH connection from
> HomeHost ->
> >> RelayHost, and then SSH from RelayHost ->
> TargetHost . But since
> >> RelayHost is slow and laggy, my experience will be
> frustrating.
> >> 
> >> Is there some SSH (or other) magic that I can use
> to make a direct
> >> connection from HomeHost -> TargetHost without
> the packets needing to
> >> go through RelayHost?
> >> 
> >> I have a feeling this topic was covered during one
> of those bits of
> >> Raul's presentation I did not understand very
> well, but I am not sure.
> > 
> > The quick and dirty is to
> > 
> > ssh pauln at RelayHost, then from there,
> > ssh pauln at TargetHost
> > 
> > The "right answer" sounds like a job for "-L" to
> me.  IIRC,
> > 
> >> From HomeHost
> > ssh -L 22:TargetHost:22 pauln at RelayHost
> > 
> > -L 22:TargetHost:22 is resolved after the connection
> to RelayHost, and
> > refers to incoming local port number: and :destination
> port number.
> > You will need root on RelayHost to use privileged
> local port?
> > 
> > This needs better examples than the following.
> > 
> > http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Local_And_Remote_Forwarding.html
> > 
> > And please note the IIRC.
> > 
> > _______________________________________________
> > kwlug-disc_kwlug.org mailing list
> > kwlug-disc_kwlug.org at kwlug.org
> > http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> > 
> 
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> 


      __________________________________________________________________
Make your browsing faster, safer, and easier with the new Internet Explorer® 8. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/



More information about the kwlug-disc_kwlug.org mailing list