Wednesday 7 February 2018

tunnel - SCP through SSH gateway connection


My network layout is something like this:



Now Alice has access to SSH gateway (just gateway from now on) with:


ssh alice@external.ip

and the authorized keys file on the gateway looks like this


#/home/Alice/.ssh/authorized_keys
command="ssh -t alice@web" ssh-rsa ABCD...E== alice@somehost

so when Alice tries to connect to the Gateway with her private key, she actually gets connected to the Web server (the gateway pc can make a connection to the web server with a passwordless private key, so that stays transparent).


The question




  1. How can I set this up so that Alice will be able to scp things to web server too?




  2. I know this makes a separate connection, but is there any way for this to work as a normal ssh so that even something like -R12345:localhost:22 would work?





Answer



If you want to access a ssh server behind another ssh server, simply use "ProxyCommand". Example: add to .ssh/config


Host Alice  
   User myLoginAtAlice # optional 
   ProxyCommand ssh -o Compression=no gateway netcat -w 90 %h %p
   ServerAliveInterval 30
   Compression yes

Host gateway
   HostName gateway.public.ip
   User myLoginAtTheGateway # optional 
   Compression yes

Then, you can simply "ssh Alice" or "rsync" or "scp" directly using "Alice" as hostname. The magic is hidden to the client.


This allows you to quickly reconfigure your ssh in case your network topology/configuration changes, and just change the .ssh/config, instead of changing every script.


Explanation: ssh uses the command given as "proxy command" as transport instead of a direct TCP connection. Netcat is a network tool that (among millions of other features) simply redirects its stdin/stdout to the specified remote host. So, "ssh gateway nc sshserver 22" connects you to the ssh server of that machine. %h is the hostname and %p is the port. Such setup allows you to specify "Port N" to change the port without changing the ProxyCommand line.


I activate compression to the final computer and disable outer compression since compressing encrypted or compressed data does not reduce the data volume any further. Any fiddling with the compression settings is also of course optional.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...