[kwlug-disc] Using SSH to authenticate

Raul Suarez rarsa at yahoo.com
Sun Mar 14 09:11:31 EDT 2010


That's right!

Thanks for the correction.

Raul Suarez

Technology consultant
Software, Hardware and Practices
_________________
http://rarsa.blogspot.com/ 
An eclectic collection of random thoughts


--- On Sun, 3/14/10, John Van Ostrand <john at netdirect.ca> wrote:

> From: John Van Ostrand <john at netdirect.ca>
> Subject: Re: [kwlug-disc] Using SSH to authenticate
> To: kwlug-disc at kwlug.org
> Received: Sunday, March 14, 2010, 8:42 AM
> Your step three needs a -R instead of
> a -L.
> 
> 
> 
> ----- Original Message -----
> From: kwlug-disc-bounces at kwlug.org
> <kwlug-disc-bounces at kwlug.org>
> To: KWLUG discussion <kwlug-disc at kwlug.org>
> Sent: Sat Mar 13 22:11:20 2010
> Subject: Re: [kwlug-disc] Using SSH to authenticate
> 
> Doing the reverse connection may be a good option to bypass
> any white 
> listing. You need SSH in Home.
> 
> It's a bit cumbersome but you may be able to automate it
> later
> 
> Here is the step by step
> 
> All this in the same console
> 1. Connect to relay
> ssh pauln at RelayHost
> 
> 2. Connect from relay connect to target
> ssh pauln at TargetHost
> 
> 3. Connect from target to Home opening a reverse ssh
> tunnel
> ssh -L50022:localhost:22 pauln at HomeHost
> 
> Open a different console in HomeHost
> 4. connect from HomeHost to target using the tunneled port
> ssh -p 50022 pauln at localhost
> 
> As I said I am sure that steps 1 to 3 can be done with a
> single command.
> 
> Raul Suarez
> 
> Technology consultant
> Software, Hardware and Practices
> _________________
> http://rarsa.blogspot.com/
> An eclectic collection of random thoughts
> 
> 
> --- On Sat, 3/13/10, unsolicited <unsolicited at swiz.ca>
> wrote:
> 
> > From: unsolicited <unsolicited at swiz.ca>
> > Subject: Re: [kwlug-disc] Using SSH to authenticate
> > To: "KWLUG discussion" <kwlug-disc at kwlug.org>
> > Received: Saturday, March 13, 2010, 5:00 PM
> > Following Richard's notes:
> >
> > The assumptions are you are ssh'ing in to work (say),
> so
> > RelayHost and TargetHost are on the same network,
> RelayHost
> > can get to / has permission to get to RelayHost, and
> > HomeHost is on some other network.
> >
> > Once you ssh to RelayHost as Richard shows, you then
> ssh
> > localhost, which will be TargetHost by then.
> >
> > You are doing all this because TargetHost is not
> directly
> > accessible from the world. Thus all traffic must pass
> > through RelayHost - it's the only thing publicly
> > accessible.
> >
> > The only other way you might do this is to have
> TargetHost
> > reverse ssh (?) you back. Which, actually, is what I
> think
> > Raul does - he has his Dad ssh him, then Raul ssh's
> back
> > through that tunnel in to do his stuff.
> >
> >     How you accomplish this may
> be
> > problematic. i.e. You either cron or have to get to
> > TargetHost to tell it to initiate the connection to
> you at
> > HomeHost.
> >
> >     Having accomplished that
> reverse
> > connection, you may be able to kill your original
> connection
> > to RelayHost, but I expect you'd have to be careful
> to
> > background or fork properly, or the dropping of the
> > connection from you to RelayHost may in turn drop the
> > connection from TargetHost to HomeHost. In Raul's
> case
> > above, his Dad dropping the connection would drop him
> -
> > since he's travelling back through that initial
> tunnel.
> >
> > I do wonder, if RelayHost is flaky and intermittent
> ... why
> > use it?
> >
> > The other, easier way to do this would be to open a
> port on
> > the firewall redirecting some port, e.g. 8022, to port
> 22 on
> > TargetHost, bypassing RelayHost entirely.
> >
> >     That's not kosher
> 'officially', i.e. you
> > directly expose another machine to the big, bad world,
> but
> > it is common practice. (Rather than a DMZ, etc.)
> >
> >     You can minimize the exposure
> by using
> > certificates and denying all other forms of
> authentication.
> >
> > Richard Weait wrote, On 03/13/2010 4:14 PM:
> > > On Sat, Mar 13, 2010 at 2:49 PM, Paul Nijjar
> <paul_nijjar at yahoo.ca>
> > wrote:
> > >> I don't have the vocabulary to explain this
> > question clearly, so
> > >> please bear with me (and tell me what
> vocabulary I
> > should be using).
> > >>
> > >> Say I have three hosts:
> > >>  - HomeHost, which is my main machine. I
> have
> > root on this machine if
> > >>    I need it.
> > >>  - RelayHost, which has a slow, laggy
> > connection. I have a regular
> > >>    user account on this.
> > >>  - TargetHost, which is the machine
> where I
> > want to work. I have a
> > >>    regular user account on this
> > machine.
> > >>
> > >> My end goal is to make a connection from
> HomeHost
> > -> TargetHost.
> > >> However, I only have permission (via SSH
> > whitelisting or whatever) to
> > >> make a connection from RelayHost ->
> > TargetHost.
> > >>
> > >> One possibility is to make an SSH connection
> from
> > HomeHost ->
> > >> RelayHost, and then SSH from RelayHost ->
> > TargetHost . But since
> > >> RelayHost is slow and laggy, my experience
> will be
> > frustrating.
> > >>
> > >> Is there some SSH (or other) magic that I can
> use
> > to make a direct
> > >> connection from HomeHost -> TargetHost
> without
> > the packets needing to
> > >> go through RelayHost?
> > >>
> > >> I have a feeling this topic was covered
> during one
> > of those bits of
> > >> Raul's presentation I did not understand
> very
> > well, but I am not sure.
> > >
> > > The quick and dirty is to
> > >
> > > ssh pauln at RelayHost, then from there,
> > > ssh pauln at TargetHost
> > >
> > > The "right answer" sounds like a job for "-L" to
> > me.  IIRC,
> > >
> > >> From HomeHost
> > > ssh -L 22:TargetHost:22 pauln at RelayHost
> > >
> > > -L 22:TargetHost:22 is resolved after the
> connection
> > to RelayHost, and
> > > refers to incoming local port number: and
> :destination
> > port number.
> > > You will need root on RelayHost to use
> privileged
> > local port?
> > >
> > > This needs better examples than the following.
> > >
> > > http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Local_And_Remote_Forwarding.html
> > >
> > > And please note the IIRC.
> > >
> > > _______________________________________________
> > > kwlug-disc_kwlug.org mailing list
> > > kwlug-disc_kwlug.org at kwlug.org
> > > http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> > >
> >
> > _______________________________________________
> > kwlug-disc_kwlug.org mailing list
> > kwlug-disc_kwlug.org at kwlug.org
> > http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> >
> 
> 
>      
> __________________________________________________________________
> Make your browsing faster, safer, and easier with the new
> Internet Explorer® 
> 8. Optimized for Yahoo! Get it Now for Free! at 
> http://downloads.yahoo.com/ca/internetexplorer/
> 
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> 
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> 


      __________________________________________________________________
Make your browsing faster, safer, and easier with the new Internet Explorer® 8. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/




More information about the kwlug-disc mailing list