[kwlug-disc] Using SSH to authenticate
John Van Ostrand
john at netdirect.ca
Sun Mar 14 08:42:36 EDT 2010
Your step three needs a -R instead of a -L.
----- Original Message -----
From: kwlug-disc-bounces at kwlug.org <kwlug-disc-bounces at kwlug.org>
To: KWLUG discussion <kwlug-disc at kwlug.org>
Sent: Sat Mar 13 22:11:20 2010
Subject: Re: [kwlug-disc] Using SSH to authenticate
Doing the reverse connection may be a good option to bypass any white
listing. You need SSH in Home.
It's a bit cumbersome but you may be able to automate it later
Here is the step by step
All this in the same console
1. Connect to relay
ssh pauln at RelayHost
2. Connect from relay connect to target
ssh pauln at TargetHost
3. Connect from target to Home opening a reverse ssh tunnel
ssh -L50022:localhost:22 pauln at HomeHost
Open a different console in HomeHost
4. connect from HomeHost to target using the tunneled port
ssh -p 50022 pauln at localhost
As I said I am sure that steps 1 to 3 can be done with a single command.
Raul Suarez
Technology consultant
Software, Hardware and Practices
_________________
http://rarsa.blogspot.com/
An eclectic collection of random thoughts
--- On Sat, 3/13/10, unsolicited <unsolicited at swiz.ca> wrote:
> From: unsolicited <unsolicited at swiz.ca>
> Subject: Re: [kwlug-disc] Using SSH to authenticate
> To: "KWLUG discussion" <kwlug-disc at kwlug.org>
> Received: Saturday, March 13, 2010, 5:00 PM
> Following Richard's notes:
>
> The assumptions are you are ssh'ing in to work (say), so
> RelayHost and TargetHost are on the same network, RelayHost
> can get to / has permission to get to RelayHost, and
> HomeHost is on some other network.
>
> Once you ssh to RelayHost as Richard shows, you then ssh
> localhost, which will be TargetHost by then.
>
> You are doing all this because TargetHost is not directly
> accessible from the world. Thus all traffic must pass
> through RelayHost - it's the only thing publicly
> accessible.
>
> The only other way you might do this is to have TargetHost
> reverse ssh (?) you back. Which, actually, is what I think
> Raul does - he has his Dad ssh him, then Raul ssh's back
> through that tunnel in to do his stuff.
>
> How you accomplish this may be
> problematic. i.e. You either cron or have to get to
> TargetHost to tell it to initiate the connection to you at
> HomeHost.
>
> Having accomplished that reverse
> connection, you may be able to kill your original connection
> to RelayHost, but I expect you'd have to be careful to
> background or fork properly, or the dropping of the
> connection from you to RelayHost may in turn drop the
> connection from TargetHost to HomeHost. In Raul's case
> above, his Dad dropping the connection would drop him -
> since he's travelling back through that initial tunnel.
>
> I do wonder, if RelayHost is flaky and intermittent ... why
> use it?
>
> The other, easier way to do this would be to open a port on
> the firewall redirecting some port, e.g. 8022, to port 22 on
> TargetHost, bypassing RelayHost entirely.
>
> That's not kosher 'officially', i.e. you
> directly expose another machine to the big, bad world, but
> it is common practice. (Rather than a DMZ, etc.)
>
> You can minimize the exposure by using
> certificates and denying all other forms of authentication.
>
> Richard Weait wrote, On 03/13/2010 4:14 PM:
> > On Sat, Mar 13, 2010 at 2:49 PM, Paul Nijjar <paul_nijjar at yahoo.ca>
> wrote:
> >> I don't have the vocabulary to explain this
> question clearly, so
> >> please bear with me (and tell me what vocabulary I
> should be using).
> >>
> >> Say I have three hosts:
> >> - HomeHost, which is my main machine. I have
> root on this machine if
> >> I need it.
> >> - RelayHost, which has a slow, laggy
> connection. I have a regular
> >> user account on this.
> >> - TargetHost, which is the machine where I
> want to work. I have a
> >> regular user account on this
> machine.
> >>
> >> My end goal is to make a connection from HomeHost
> -> TargetHost.
> >> However, I only have permission (via SSH
> whitelisting or whatever) to
> >> make a connection from RelayHost ->
> TargetHost.
> >>
> >> One possibility is to make an SSH connection from
> HomeHost ->
> >> RelayHost, and then SSH from RelayHost ->
> TargetHost . But since
> >> RelayHost is slow and laggy, my experience will be
> frustrating.
> >>
> >> Is there some SSH (or other) magic that I can use
> to make a direct
> >> connection from HomeHost -> TargetHost without
> the packets needing to
> >> go through RelayHost?
> >>
> >> I have a feeling this topic was covered during one
> of those bits of
> >> Raul's presentation I did not understand very
> well, but I am not sure.
> >
> > The quick and dirty is to
> >
> > ssh pauln at RelayHost, then from there,
> > ssh pauln at TargetHost
> >
> > The "right answer" sounds like a job for "-L" to
> me. IIRC,
> >
> >> From HomeHost
> > ssh -L 22:TargetHost:22 pauln at RelayHost
> >
> > -L 22:TargetHost:22 is resolved after the connection
> to RelayHost, and
> > refers to incoming local port number: and :destination
> port number.
> > You will need root on RelayHost to use privileged
> local port?
> >
> > This needs better examples than the following.
> >
> > http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Local_And_Remote_Forwarding.html
> >
> > And please note the IIRC.
> >
> > _______________________________________________
> > kwlug-disc_kwlug.org mailing list
> > kwlug-disc_kwlug.org at kwlug.org
> > http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> >
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
__________________________________________________________________
Make your browsing faster, safer, and easier with the new Internet Explorer®
8. Optimized for Yahoo! Get it Now for Free! at
http://downloads.yahoo.com/ca/internetexplorer/
_______________________________________________
kwlug-disc_kwlug.org mailing list
kwlug-disc_kwlug.org at kwlug.org
http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
More information about the kwlug-disc
mailing list