Re: rdr and authpf
2009/1/17 Lars NoodC)n : > I'd like to be able to authorize certain groups of users to be able to > log in via ssh from A to B below, but upon/after successful > authentication be redirected to ssh on C,D,or E so as to log in and work > there. > >+--E >| > AB--+--C >| >+--D > > > What part of authpf can do that? Or is that better with SSH than PF? This is standard SSH duty. Configure A to pass through B to get to E, C, D. Research the 'ProxyCommand' setting. -- jm
SSH and ProxyCommand (was Re: rdr and authpf)
Juan Miscaro wrote: > 2009/1/17 Lars NoodC)n : [snip] >>+--E >>| >> AB--+--C >>| >>+--D [snip] > > This is standard SSH duty. > > Configure A to pass through B to get to E, C, D. Research the > 'ProxyCommand' setting. Thanks. There are not words for how tremendously OpenSSH rocks. I've been a casual user since autumn 99 or so, but lately finding that was just the tip of the iceberg. There's a wealth of tricks in ssh_config(5) Using ~/.ssh/config on the client to connect to .118.10 and then from there use netcat to connect to .124.25: Host sound Protocol 2 HostName 192.168.118.10 ProxyCommand ssh %h /usr/bin/nc 192.168.124.25 22 using -v (or -vv or -vvv) this is what happens: debug1: Executing proxy command: exec ssh 192.168.118.10 \ /usr/bin/nc 192.168.124.25 22 The obstacle I find now is that since the host keys for 192.168.118.10 and 192.168.124.25 are not the same, the illusion of two keys for a single host causes the client to choke on the connection to the second host. Is there a way to configure ssh_config to allow two host keys for the "same" host, or ignore the first host's key? Putting the same key on both doesn't seem quite right as I don't want the same groups that are working behind the gateway to be accessing gateway itself. Regards, -Lars
Re: SSH and ProxyCommand (was Re: rdr and authpf)
Lars NoodC)n wrote: >+--E >| > AB--+--C >| >+--D Ok. To record my own answer one solution, it was to use HostKeyAlias, to specify which host key to record. Host sound Protocol 2 HostKeyAlias 192.168.124.25 HostName 192.168.118.10 ProxyCommand ssh %h /usr/bin/nc 192.168.124.25 22 I can see some drawbacks with that, but it works for now. -Lars
Re: SSH and ProxyCommand (was Re: rdr and authpf)
2009/1/18 Lars NoodC)n : > Lars NoodC)n wrote: >>+--E >>| >> AB--+--C >>| >>+--D > > Ok. To record my own answer one solution, it was to use HostKeyAlias, > to specify which host key to record. > >Host sound > Protocol 2 > HostKeyAlias 192.168.124.25 > HostName 192.168.118.10 > ProxyCommand ssh %h /usr/bin/nc 192.168.124.25 22 > > I can see some drawbacks with that, but it works for now. > > -Lars > > Host B HostName host-B User user-B IdentityFile key-B Host C HostName host-C User user-C IdentityFile key-C ProxyCommand ssh B nc %h %p Note: Investigate ssh-agent if you do not already use it. -- jm
Re: SSH and ProxyCommand (was Re: rdr and authpf)
Lars Nooden wrote: > >> +--E > >> | > >> AB--+--C > >> | > >> +--D Juan Miscaro wrote: > Host B > HostName host-B > User user-B > IdentityFile key-B > > Host C > HostName host-C > User user-C > IdentityFile key-C > ProxyCommand ssh B nc %h %p Yes, thanks very much. Also, instead of using ssh_config, the same can be done via shell: ssh -o "ProxyCommand ssh B nc %h %p" C > Note: Investigate ssh-agent if you do not already use it. I use it but freely admit that it is under-utilized. -Lars
