[MLUG] SSH tunnels for fun and profit - eat this gotomypc

["Brent Deterding" <EMAIL:PROTECTED>]

MLUG,
	Thought someone may be interested in some cool SSH stuff I use. I have a
firewall on another network (Network A) that I don't control and want access
to my that machine from here (Network B), and vice-versa. I obviously
control my firewall here.

	At each end there is a Windows box and a Linux box. On Network A this is a
VMWare situation (Linux host) and on Network B they are 2 seperate boxes.

Here's what I want to accomplish.

VNC from Network A's Windows box to Network B's Windows box
VNC from Network B's Windows box to Network A's Windows box
SSH from Network A to Network B (nothing special here)
SSH from Network B to Network A (any box)

	To get all of this to work at all I needed to set up keys all around so I
wouldn't need to enter passwords. My Windows clients are SSH.COM formatted,
while all the Linux boxes are OpenSSH format. To convert SSH.COM keys to
OpenSSH format I use a Java SSH Client called AppGate MindTerm to Export the
prvate key to an OpenSSH pair. The public key for Network A's Linux box,
Network B's firewall, Network B's Windows box, and Network A's Windows box
all got copied to /root/.ssh/authorized_keys on both Network A's Linux box
and Network B's firewall. OpenSSH's host key can be found in
/etc/ssh/ssh_host_dsa_key. Note that the Windows clients had to have key
pairs generated - they don't exist by default. Ah - you have to make sure
the boxes present the correct key for authentication. This is a problem for
Network A's Linux box because this box already uses a different key. To the
rescue is ssh-agent, which will broker your authentication for you and
choose the right one. Problem is I haven't worked to get ssh-agent to work
if you are already ssh'd into the box. Not a big deal but messed up my
testing a bit. Doesn't matter because everything is generated from local
scipts anyway. I just use the -i command line option to present the host key
in /etc/ssh instead of my default /root/.ssh key. Whew - with all of this
working we're ready to mess with tunnels.

1.
I first wanted to be able to SSH to Network A's Linux box from Network B's
firewall. To do this I execute this command from Network A's Linux box:

	ssh -p 22 -g -N -f -i /etc/ssh/ssh_host_dsa_key -R 24:localhost:22
Network-B-firewall.dyndns.org

Oh - I use dyn dns to change my dns entry to whatever my current IP is and
re-execute my firewall script. This is beyond the scope of this doc :)

This command hits port 22 on Network B's firewall with the host key. -f
makes it fork into the background after it authenticates so it doesn't eat
up a terminal. -N means it won't ask for a shell - just set up the
tunnel. -g means for local tunnels that hosts other than localhost can
connect. It actually isn't needed here, as remote tunnels are *only*
accessible from localhost. This command means that port 24 is now listening
on Network B's firewall and will send anything it gets there to localhost on
port 22 - localhost being on Network A's Linux box. This means that from
Network B's firewall I can ssh to port 24 on localhost and it goes through
the tunnel to 22 on Network A's Linux box. There is a slight problem - only
Network B's firewall can SSH to Network A's Linux box - I want Network B's
Windows box to be able to SSH to Network A's Linux box.

	ssh -p 22 -g -N -f -L 26:127.0.0.1:24 127.0.0.1

This establishes a local tunnel that will accept external connections to
port 26 and redirect them through a tunnel to localhost port 24 - which in
turn goes through the remote tunnel to Network A's Linux box.


2.
I have external hosting for my email that provides a pretty nice webmail
interface over https. But I get a lot of mail and my filters are on my
Outlook client at home (Network B) - hence webmail gets ugly after a day or
so. When I'm on the road for a week it gets cumbersome. So I set up RealVNC
Server on my Windows box at home (Network B)

I execute this command from Network A's Linux box:

	ssh -p 22 -g -N -f -i /etc/ssh/ssh_host_dsa_key -L 5900:192.168.5.100:5900
Network-B-firewall.dyndns.org

Same idea - my Network A's Linux box will listen on port 5900 and forward
anything to it through the tunnel to 192.168.5.100 on port 5900 (my windows
box on Network B). Works like a champ.


3.
Well now I started getting curious about what I could make this do and
decided I wanted to VNC from Network B's Windows box to Network A's Windows
box.

I execute this command from Network A's Linux box.

	ssh -p 22 -g -N -f -i /etc/ssh/ssh_host_dsa_key -R 5901:172.16.152.128:5900
Network-B-firewall.dyndns.org

Same deal - set up Network B's firewall to forward anything destined for
port 5901 (on Network B's firewall) across the tunnel to 172.16.152.128 on
port 5900. That 172.16 address is the host-only VMWare interface with
Network A's Windows box.

To deal with the other end on Network B's firewall I needed another loopback
tunnel:

	ssh -p 22 -g -N -f -L 5900:127.0.0.1:5901 127.0.0.1

Hence I can use VNC viewer to hit Network B's firewall on port 5900 that
gets tunneled to port 5901 on the firewall, which in turn gets tunelled
across my VMWare host-only interface to Network A's  Windows box.

Issues:

I had to tell Network B's firewall to allow connections to port 26 and 5900
from 192.168.5.100. Additionally, the firewall had to allow itself to hit
port 5900 on 192.168.5.100 (windows box on Network B).

I've researched it and it looks like SSH with cipher of "none" is nearly as
fast/slow as with a cipher. Don't understand that one exactly. I hard-code
all my sshd servers and ssh clients to use hmac-sha1, blowfish, and
compression. VNC sucks - Terminal Services works much better - but that's
the breaks on 2000 Pro (not server). Since IPSec isn't involved at any point
my packets stay at 1500 bytes and fragentation doesn't cost me performance.

I put all of the above commands with some checking into cron.hourly
scripts - so it keeps all of this up for me all the time.

-- Brent

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members