LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-25-2004, 12:58 PM   #1
AzZuM
LQ Newbie
 
Registered: Nov 2004
Distribution: RedHat, Solaris
Posts: 3

Rep: Reputation: 0
SSH tunneling X


I want to add automation to so that my users can tunnel into the company server:


localmachine ---> INTERNET ---> firewallmachine ---> internalmachine

The localmachine is any O/S that has X, (like any linux, cygwin, etc).
The firewallmachine is Sun Solaris 9 machine with SSHd running (no X)
Internalmachine is a Redhat machine that I want to run my xsession from, it does not have sshd and won't be enabled.

I've got it to work with three commands but its a little bit of a hassle for some of my users to understand any ideas how to shorten it? or make it easier? and to make the port number increment would probably be ideal.

the commands are:

startx > /dev/null &
ssh -R 6000:localmachine_ip:6000 user@firewallmachine

then when the user is logged in:

rsh internalmachine "set DISPLAY firewallmachine_ip:0.0; xterm&"

this gives me a xterm on localmachine from the internalmachine and is encypted through ssh(port forwarding).
 
Old 11-25-2004, 06:34 PM   #2
peacebwitchu
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 185

Rep: Reputation: 30
This seems pretty crazy but you actually allow users to login to your firewall??? Then you use a plaintext method to access the linux box from your firewall because you don't want to run an encrypted protocol??? Alright. You really need to either allow ssh to Linux box but only allow certain ip's in by blocking with your firewall or use a VPN solution.
You really need encryption from end to end. Take a look at openvpn. Sorry if I was harsh. By using rsh if one box gets
compromised the it is just a matter of sitting back and collecting passwords. So instead of having 1 compromised box you have many. This is not good ask Debian.org.
 
Old 11-26-2004, 09:03 PM   #3
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
Maybe using aliases/functions?
Though that's client side configuration.
 
Old 11-27-2004, 01:59 AM   #4
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
There are more elegant ways to do this, but this is decent and doesn't require much typing

port forward some port on the firewall machine to the internalmachine's sshd (2022 in this example). then do this on the remote machine:

ssh -X -p 2022 user@firewalls.fqdn.

That should do it. The earlier poster was right too. You really shouldn't have people logging into the firewall, even if it is just to jump to another box.

And yes, I read the part about not wanting to enable SSH on the Redhat box. I'm ignoring it though until you present a good reason to use rsh over ssh ... rsh was great back when the 5.25 floppy had lots of storage and wheels were square, but there's little reason to use it now ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
tunneling thru ssh c9876543210 Linux - Networking 1 07-21-2005 12:45 AM
X tunneling with SSH phekno Linux - Networking 3 05-31-2005 10:43 AM
SSH Tunneling danny_beta_read Linux - Networking 0 06-10-2004 02:43 PM
Tunneling through SSH rech Slackware 1 11-28-2003 08:21 PM
tunneling with ssh barbanero Linux - Security 2 01-24-2002 10:53 AM


All times are GMT -5. The time now is 04:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration