Thank you for visiting!
My little window on internet allowing me to share several of my passions
Categories:
- OpenBSD
- High Availability
- vdcron
- My Sysupgrade
- FreeBSD
- Nas
- DragonflyBSD
- fapws
- Alpine Linux
- Openbox
- Desktop
- Security
- nvim
- yabitrot
- nmctl
- Tint2
- Firewall
- VPN
- Project Management
- Hifi
- Alarm
Most Popular Articles:
Last Articles:
Some ssh tips
Posted on 2022-09-30 09:11:00 from Vincent in OpenBSD
Despite the usual connection to a remote hosts, SSH can be used in several other cases. In this blog, I will present 3: proxy, tunnel and JumpServer.
SSH as a proxy server
Use case
I'm willing to surf on internet as if I will be from home.
For example, I'm somewhere in the world, and I would like to connect to my bank website. As a protection rule, my bank is checking the IP address of the browser. If it's an IP from abroad, the login process is a bit more annoying.
Setup on server side
I have a OpenBSD server running at home. This machine is reachable from internet for the SSH protocol.
To do so, I've configured the firewall of my internet provider to forward ssh protocols to this server.
Instead of listing his IP address in the next part of this blog, let's agree that this machine is known as "myhome"
For this case, let imagine that public IP address of my internet address is static.
Setup on my PC
On my PC (running OpenBSD too, but this is not mandatory), I have listed (in /etc/hosts for example) the public IP of my internet router as "myhome".
I must inform SSH to start a tunnel between my PC and "myhome". I will ask SSH to make it compliant with SOCKS protocol on port 1234.
ssh -D 1234 -p 22 user@myhome
Now, I can just start my preferred browser to use such SOCKS protocol.
chrome --proxy-server="socks://localhost:1234"
As from now, every internet connection on my browser will goes first to this SOCKS proxy. In other words, this is an SSH tunnel to "myhome" before going out to internet.
Because port 22 is often blocked, I suggest you to take an other port number. In such case, make sure that you home's internet firewall is correctly configured.
Conclusions
It works fine with some caveats:
- SSH protocol (on port 22) must be allowed by local internet provider where my PC runs (Hotel, work, ...)
- "myhome" becomes a bottle neck because he must manage traffic back and forth. This is not the solution to watch videos.
Setup a simple tunnel
Use case
I have a webserver inside a DMZ. This webserver is not visible from outside of this DMZ. This is often the case with management server.
Setup on server side
I need to have a valid SSH connection (user/password, ..) to a machine located on the same network as the targeted webserver.
The SSH server is called: mysshsserver and the targeted webserver is called mywebserver. It's important to nate that HTTP/HTTPS connection from mywebserver are allowed to mywebserver
Setup on PC side
With the following command, I'm asking SSH to start a tunnel between my PC and "mysshserver". From this machine, I request a connection to mywebserver on port 443.
Locally this tunnel will be bound to port 1234
ssh -L 1234:mywebserver:443 -N user@mysshserver
Then just type "localhost:1234" on you browser and you will see pages of mywebserver.
If the webserver runs on mysshserver, the command will become;
ssh -L 1234:localhost:443 -N user@mysshserver
Conclusion
This is trusted way to connect admin machines located in a secured zone (DMZ, ...).
It works perfectly, with the small caveat that such tunnel add some delay. The webinterface will be slower. but this as several sources: SSH tunnel, local internet provider, ...
Jump servers
Use case
Let's imagine that you have several machines in a local network. They all have SSH server available, BUT only one is able to manage SSH connection coming from the outside.
So, to reach every machines on this network, you must first establish an SSH connection this to ssh server, then from there you must establish a second ssh connection to the target ssh server.
Let's facilitate this with Jump servers
Setup on server side
Nothing special is required for such setup. Just have SSH server up and running on all machines.
Let's imagine we have our SSH server reachable from outside called: mysshserver. Other machines are called targetserver1, targetserver2, ...
To avoid password requests, I still advice to publish public ssh addresses from the client PC to different ssh servers.
Setup on the PC side
First make sure that you can connect via SSH from PC to mysshserver.
ssh user@mysshserver
To avoid password's request, I suggest to copy the public certificate of the PC to the server.
add PC's ~/.ssh/id_rsa.pud to server's ~/.ssh/authorized_keys
Please do that on mysshserver, but also on targetservers too.
On the PC's ssh config file put this (~/.ssh/config)
Host targetserver1
Hostname targetserver1
ProxyJump user@mysshserver
User user
Host targetserver2
Hostname targetserver2
ProxyJump user@mysshserver
User user
Host mysshserver
Hostname mysshserver
If required, instead of putting hostnames in the variable "Hostname", you can put IP address instead.
If DMZ are encapsulated. So, imagine targetserverX only accept SSH connection from targetserver9, you can put
Host targetserverX
Hostname targetserverX
ProxyJump user@mysshserver,user@targetserver9
User user
This explains to ssh that he has 2 jump server in sequence. This is often the case when you have one ssh server to reach the network of a company and then one ssh server to reach the DMZ inside this company.
Conclusion
SSH is really Swiss Army Knife for encrypted connections. The tool has lot of different use case that we, sometime, forget.
It's not always required to setup complex VPN, ... when SSH can just match the needs
I remind that OpenSSH is funded by the OpenBSD fundation !!
Thanks to those persons to develop such great tool. And MANY MANY thanks to provide it with a BSD license.
Donations to those guys is always a good idea ;)
I'm convinced that, thanks to this license model, OpenSSH is now everywhere. And more it's used, strong and better it will become ;-)
Long life to OpenSSH