LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   I need a reverse proxy solution for SSH (http://www.linuxquestions.org/questions/linux-server-73/i-need-a-reverse-proxy-solution-for-ssh-858688/)

jamesbon 01-25-2011 11:39 PM

I need a reverse proxy solution for SSH
 
Hi here is a situation I have a server in a corporate data center for a project. I have an SSH access to this machine at port 22.There are some virtual machines running on this server and then at the back of every thing many other Operating systems are working. Now Since I am behind the data centers firewall my supervisor asked me if I can do some thing by which I can give many people on Internet access to these virtual machines directly. I know if I were allowed to get traffic on port other than 22 then I can do a port forwarding. But since I am not allowed this so what can be a solution in this case. The people who would like to connect might be complete idiots.Who may be happy just by opening putty at their machines or may be even filezilla.I have configured an Apache Reverse Proxy for redirecting the Internet traffic to the virtual machines on these hosts.But I am not clear as for SSH what can I do.So is there some thing equivalent to an Apache Reverse Proxy which can do similar work for SSH in this situation.

I do not have firewall in my hands or any port other than 22 open and in fact even if I request they wont allow to open.2 times SSH is not some thing that my supervisor wants.

acid_kewpie 01-26-2011 04:03 AM

Well in terms of terminology, it's not a reverse proxy you want here, you just want to do some SSH tunnelling, which you can configure as a puTTY profile to distribute if you wish. Have a look on line for some tunnelling walk throughs for puTTY, but the ssh command line equivalent would be:

ssh user@linuxserver.example.com -L 2201:192.168.100.1:22 -L 2202:192.168.100.2:22

so once logged in, if the user opens a second ssh session to port 2201 on their loopback address, they will go via the current ssh tunnel and hit port 22 on 192.168.100.1. Obviously these ports are totally arbitrary and you can do RDP, HTTP or any other TCP protocol through it.

EricTRA 01-26-2011 05:15 AM

Hi,

I have something similar set up at the company where I work. I needed a way to connect at any time from home to the servers on their network but the VPN is only for their own employees. So with the 'go-ahead' of my supervisor I installed autossh on one of the servers I administer and run it as a service to connect constantly to my public IP at home as reverse SSH. This is my config in /etc/init.d/autosshd_eric
Code:

# chkconfig: 2345 90 10
# description: autosshd
/usr/local/bin/autossh -f -M 20000 -N \
-R 6262:localhost:22 \
eric@mypublicIP -p 22

At home when I need to connect to work using that tunnel I just type:
Code:

ssh usernameatwork@localhost -p 6262
and voila.

I have it set up with key authentication over password, so it's more secure.

The advantage of autossh over regular ssh is that SSH tunnels close after some time and you'll need someone on the inside to restart it. Autossh does that automatically for you. I can go days without using the tunnel and when I need it, it's still there.

Some things to take into account:
If your IP at home is dynamic it might change. You can use something like DynDNS to overcome that.
If your computer at home gets an IP from the router through DHCP that might change too so you'll have to change your router's config to point to the correct IP or set up fixed on your home computer.

Another advantage is that you can 'create' a startup script for every user with their IP and never have to look at it again if set up correctly.

Kind regards,

Eric

camh 01-27-2011 01:57 AM

Quote:

Originally Posted by EricTRA (Post 4238036)
I have it set up with key authentication over password, so it's more secure.

Just felt I should point out that using a key instead of a password isn't any more secure. If you wanted to be more secure, you'd use a key and a password.

EricTRA 01-27-2011 11:21 AM

Quote:

Originally Posted by camh (Post 4239161)
Just felt I should point out that using a key instead of a password isn't any more secure. If you wanted to be more secure, you'd use a key and a password.

Hello,

Of course, the more 'options' you use to authenticate the more secure it will be. You could also include a certificate on a USB key in combination with some udev rules. But in my opinion that'll only complicate every day usage. In my opinion a key of 2048 bits is a lot more security then a password. Of course it all depends on the level of security you want/need.

Kind regards,

Eric

jamesbon 01-28-2011 01:33 PM

Quote:

Originally Posted by EricTRA (Post 4238036)
Hi,

I have something similar set up at the company where I work. I needed a way to connect at any time from home to the servers on their network but the VPN is only for their own employees. So with the 'go-ahead' of my supervisor I installed autossh on one of the servers I administer and run it as a service to connect constantly to my public IP at home as reverse SSH. This is my config in /etc/init.d/autosshd_eric
Code:

# chkconfig: 2345 90 10
# description: autosshd
/usr/local/bin/autossh -f -M 20000 -N \
-R 6262:localhost:22 \
eric@mypublicIP -p 22


Eric thanks for this tip it is a Good one and in my case it will not work as I can handle this but the users whom I might have to give access to this will be not willing to do so but any how your tip goes to my bookmarks.

Hi acid_kewpie thanks for this solution but I could not understand it fully.

Quote:

Originally Posted by acid_kewpie (Post 4238001)
ssh user@linuxserver.example.com -L 2201:192.168.100.1:22 -L 2202:192.168.100.2:22

You used two IP addresses with -L I am not clear with why 2 and how it will work.
If I do the above then which IP will I be logged in first.Is it 192.168.100.1 or 192.168.100.2 and what will happen?

Quote:

Originally Posted by acid_kewpie (Post 4238001)
so once logged in, if the user opens a second ssh session to port 2201 on their loopback address, they will go via the current ssh tunnel and hit port 22 on 192.168.100.1. Obviously these ports are totally arbitrary and you can do RDP, HTTP or any other TCP protocol through it.

What is the purpose of -L 2202:192.168.100.2:22 above

I have read man page of ssh also

Quote:

-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting.However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all
interfaces.
What I do not understand is
Quote:

[bind_address:]port:host:hostport
What format is this?
What is bind_address here?
Also do I need to make SSH listen to some other port as you logged in above on 2201 so should SSH on server listen to 2201

Also I want to share one more link which came across me
http://serverfault.com/questions/226.../227268#227268
so that some LQ member may help me understanding what the person on above link is saying to use squid with Apache and SSH tunnel.

acid_kewpie 01-28-2011 02:17 PM

the bind_address is used to specify a specific IP on the local machine to bind to. Personally I never tend to use it.

which 2 IP addresses? You as many -L's as you like, and it's just simple case that the leading port number on the local machine connects you to the ip and port after it. Really easy concept.

jamesbon 01-29-2011 01:34 AM

Hi acid_kewpie I am still not able to understand it.It might be easy for you but I am not getting it.

acid_kewpie 01-29-2011 03:41 AM

well there are plenty of docs out there describing the concept. It's a weird idea sure, but very simple in reality. http://wiki.metawerx.net/wiki/SSHTunnel


All times are GMT -5. The time now is 09:25 PM.