[Gllug] [OT] SSH or VPN?

Chris Jones cmsj at tenshu.net
Wed Sep 26 21:38:29 UTC 2007 

Hi

Tom Weissmann wrote:
> Sure, but what they'll want is an easy way to a) automate it, and b) 

shell scripts are the best way to automate, but I'm not sure you'll
really need to automate anything, see below.

> make absolutely sure all we can do is forward that port.

openssh to the rescue (providing you trust it to listen on the Internet).
You disable passwords in the ssh server (let's call it "sshjumpbox")
config, require keys instead, password protect the keys, and finally,
use authorized_keys options to precisely limit what that key is allowed
to be used for.

I think an example is called for :)

On the ssh server, create $HOME/.ssh/authorized_keys for the appropriate
user you will be sshing in as. Put in something like this:

command="/bin/false",no-pty,no-agent-forwarding,no-x11-forwarding,from="YOUR_IP",permitopen="remotehost1:3389",permitopen="remotehost2:3389"
ssh-rsa AAAAB3NzaC1y....[snip rsa key]....LSqS6eVpw== cmsj at waishou

The ssh-rsa......cmsj at waishou bit is the public part of your ssh key.
YOURIP is the IP address you will be connecting from.
It should also all be on one line, but email probably broke that.

To connect to this, you would run:

ssh -N -L3389:remotehost1:3389 sshjumpbox

(-N means don't execute a command, since any command executed will
actually run /bin/false and cut the connection)

You now have the RDP service on remotehost1 forwarded via sshjumpbox to
your local machine. Point your RDP viewer at localhost and bam, you're in.

Only your IP can do anything with the key, only people who know the
password can use the key. The key cannot allocate a pty or execute any
commands other than /bin/false which returns immediately and severs the
connection. It cannot use any other forwarding than TCP ports and can
only use them to talk to two designated machines/ports. I don't think
there's really anything left in the connection to disable at that point ;)

FWIW, I would also go through the sshd and sshd_config manfiles with a
fine tooth comb and see what else I could get away with locking down.
Things like PermitUserEnvironment and AllowGroups.
Obviously firewalling the ssh server to YOURIP is a good idea too, to
prevent lots of pointless attack attempts from the Internet.

Cheers,
-- 
Chris Jones
  cmsj at tenshu.net
   www.tenshu.net
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list