LinkedIn Sourceforge Twitter

Vincent's Blog

Pleasure in the job puts perfection in the work (Aristote)

Some ssh tips

Posted on 2022-09-30 09:11:00 from Vincent in OpenBSD

Despite the usual connection to a remote hosts, SSH can be used in several other cases. In this blog, I will present 3: proxy, tunnel and JumpServer.


SSH as a proxy server

Use case

I'm willing to surf on internet as if I will be from home.

For example, I'm somewhere in the world, and I would like to connect to my bank website. As a protection rule, my bank is checking the IP address of the browser. If it's an IP from abroad, the login process is a bit more annoying.

Setup on server side

I have a OpenBSD server running at home. This machine is reachable from internet for the SSH protocol.
To do so, I've configured the firewall of my internet provider to forward ssh protocols to this server.
Instead of listing his IP address in the next part of this blog, let's agree that this machine is known as "myhome"

For this case, let imagine that public IP address of my internet address is static.

Setup on my PC

On my PC (running OpenBSD too, but this is not mandatory), I have listed (in /etc/hosts for example) the public IP of my internet router as "myhome".
I must inform SSH to start a tunnel between my PC and "myhome". I will ask SSH to make it compliant with SOCKS protocol on port 1234.

ssh -D 1234 -p 22 user@myhome

Now, I can just start my preferred browser to use such SOCKS protocol.

chrome --proxy-server="socks://localhost:1234"

As from now, every internet connection on my browser will goes first to this SOCKS proxy. In other words, this is an SSH tunnel to "myhome" before going out to internet.

Because port 22 is often blocked, I suggest you to take an other port number. In such case, make sure that you home's internet firewall is correctly configured.

Conclusions

It works fine with some caveats:

  • SSH protocol (on port 22) must be allowed by local internet provider where my PC runs (Hotel, work, ...)
  • "myhome" becomes a bottle neck because he must manage traffic back and forth. This is not the solution to watch videos.

Setup a simple tunnel

Use case

I have a webserver inside a DMZ. This webserver is not visible from outside of this DMZ. This is often the case with management server.

Setup on server side

I need to have a valid SSH connection (user/password, ..) to a machine located on the same network as the targeted webserver.

The SSH server is called: mysshsserver and the targeted webserver is called mywebserver. It's important to nate that HTTP/HTTPS connection from mywebserver are allowed to mywebserver

Setup on PC side

With the following command, I'm asking SSH to start a tunnel between my PC and "mysshserver". From this machine, I request a connection to mywebserver on port 443.
Locally this tunnel will be bound to port 1234

ssh -L 1234:mywebserver:443 -N user@mysshserver

Then just type "localhost:1234" on you browser and you will see pages of mywebserver.

If the webserver runs on mysshserver, the command will become;

ssh -L 1234:localhost:443 -N user@mysshserver

Conclusion

This is trusted way to connect admin machines located in a secured zone (DMZ, ...).

It works perfectly, with the small caveat that such tunnel add some delay. The webinterface will be slower. but this as several sources: SSH tunnel, local internet provider, ...

Jump servers

Use case

Let's imagine that you have several machines in a local network. They all have SSH server available, BUT only one is able to manage SSH connection coming from the outside.
So, to reach every machines on this network, you must first establish an SSH connection this to ssh server, then from there you must establish a second ssh connection to the target ssh server.

Let's facilitate this with Jump servers

Setup on server side

Nothing special is required for such setup. Just have SSH server up and running on all machines.

Let's imagine we have our SSH server reachable from outside called: mysshserver. Other machines are called targetserver1, targetserver2, ...

To avoid password requests, I still advice to publish public ssh addresses from the client PC to different ssh servers.

Setup on the PC side

First make sure that you can connect via SSH from PC to mysshserver.

ssh user@mysshserver

To avoid password's request, I suggest to copy the public certificate of the PC to the server.

add PC's ~/.ssh/id_rsa.pud to server's ~/.ssh/authorized_keys

Please do that on mysshserver, but also on targetservers too.

On the PC's ssh config file put this (~/.ssh/config)

Host targetserver1
    Hostname targetserver1
    ProxyJump user@mysshserver
    User user
Host targetserver2
    Hostname targetserver2
    ProxyJump user@mysshserver
    User user
Host mysshserver
    Hostname mysshserver

If required, instead of putting hostnames in the variable "Hostname", you can put IP address instead.

If DMZ are encapsulated. So, imagine targetserverX only accept SSH connection from targetserver9, you can put

Host targetserverX
    Hostname targetserverX
    ProxyJump user@mysshserver,user@targetserver9
    User user

This explains to ssh that he has 2 jump server in sequence. This is often the case when you have one ssh server to reach the network of a company and then one ssh server to reach the DMZ inside this company.

Conclusion

SSH is really Swiss Army Knife for encrypted connections. The tool has lot of different use case that we, sometime, forget.

It's not always required to setup complex VPN, ... when SSH can just match the needs

I remind that OpenSSH is funded by the OpenBSD fundation !!

Thanks to those persons to develop such great tool. And MANY MANY thanks to provide it with a BSD license.
Donations to those guys is always a good idea ;)

I'm convinced that, thanks to this license model, OpenSSH is now everywhere. And more it's used, strong and better it will become ;-)

Long life to OpenSSH



4, 4
displayed: 4067



What is the first vowel of the word Python?