[Novalug] how to ssh into a computer

Alex Smith (K4RNT) shadowhunter@gmail.com
Fri Nov 1 12:47:39 EDT 2013


You could always make a host a "bastion", kinda like a reverse proxy:


Forward port 22 to a Linux, or other host that runs OpenSSH. After that,
you could SSH into that host, then SSH further in to your network.

Does that make sense?

Hope this helps...


On Fri, Nov 1, 2013 at 11:15 AM, shawn wilson <ag4ve.us@gmail.com> wrote:

> Nope, what I'm suggesting is setting an ssh port forward from the
> router to one computer. That computer can access your other computers,
> right? (Don't care about that statement until you start putting
> from=<ip> in your authorized_keys file to limit access and start
> banging your head as to why you see an ssh service but can't get in)
> Ok, so what you do is, on your end node (the box you're physically
> typing on), you have an ssh config like this:
>
> Host me*
>   HostName 1.2.3.4
>
> Host me-fwd
>   # CompA
>   LocalForward 19205 192.168.0.5:22
>   # CompB
>   LocalForward 19242 192.168.0.42:22
>   # etc
>
> Host comp-a
>   Port 19205
>
> Host comp-b
>   Port 19242
>
> Host *
>   HostName 127.0.0.1
>
> A few notes - 1.2.3.4 is some abstract public ip. The LocalForward
> ports are totally abstract, but I'd suggest you make some schema for
> these that is based on the IP address space as when you have a bunch
> of these, it gets complicated. Also, comment your forwards. I used 22
> as the host's port just because that's IANA standard and not because
> that's what I actually do. How this would work is, you initiate the
> forward with:
> ssh -N -f me-fwd
> And then you'd ssh into comp-b with
> ssh comp-b
>
> This is limited to TCP traffic - so you can't send regular dns
> requests by doing this (UDP) but it's a pretty robust way of doing
> things. You can also specify different usernames and the likes per
> host. Every option exept IdentityFile is first come first serve - as
> ssh goes down the file, if an option is stated twice, the first one
> will be used so (for instance) I could've put: HostName 5.6.7.8 under
> me-fwd and it wouldn't have mattered. I suggest defining sane (read:
> secure) options under a Host * stanza, but that wasn't what the
> question was about.
>
>
> On Thu, Oct 31, 2013 at 4:44 PM, Mark Smith <mark@winksmith.com> wrote:
> > i think you're suggesting having an ssh connection from his home network
> > out to where he is (office or whatever) with a LocalForward.  this is
> > the definition of a "call-home" script.  keep in mind, that it may be
> > violating a security policy somewhere.
> >
> > that aside, if the link goes down, the connection goes down (obviously),
> > but with no one to restart it, it stays down.  alternatively, a 3 line
> > script can invoke ssh with forwarding, sleep 60s when the ssh exits,
> > and then restart.  so, if the link goes down, it comes up automagically.
> >
> >
> > On Thu, Oct 31, 2013 at 01:12:28PM -0400, Shawn Wilson wrote:
> >> So I agree with all of the recommendations to use ssh_config. However
> instead of setting up multiple port redirects on your router, I'd recommend
> using LocalForward in your ssh_config and then just:
> >> ssh_config -f -N <main host>
> >> And then you have your other hosts setup, but you tell it:
> >> Address 127.0.0.1
> >> Port <whatever you defined>
> >>
> >> I also like not using port 22 for external ssh - it stops tons of
> people trying to connect. On that note, you're not using passwords and you
> have disabled passwords, right?
> >
> > --
> > Hei konā mai
> > Mark Smith
> > mark@winksmith.com
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>



-- 
" ' With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and
warning... The first time any man's freedom is trodden on we’re all
damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG
episode "The Drumhead"
- Alex Smith (K4RNT)
- Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20131101/c9422f12/attachment.htm>


More information about the Novalug mailing list