diff options
| author | Guilhem Moulin <guilhem.moulin@fripost.org> | 2013-01-10 20:43:43 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem.moulin@fripost.org> | 2013-01-10 20:43:51 +0100 |
| commit | 039a05948785e24e323d1b9fe2d672f9cfebcd5b (patch) | |
| tree | 72a6909ae7f38c2bb474a6b423c5cecab0dfb511 | |
| parent | aa267aac7674500808de42538884e2ee8e672672 (diff) | |
| -rw-r--r-- | fripost-docs.org | 35 |
1 files changed, 22 insertions, 13 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index 64785d8..5aa355f 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -290,20 +290,20 @@ incoming SMTP = the Mail Submission Agent (MSA), that will receive emails from o # originating host = the host that will be connecting # destination host = the host that runs some service -# Begin by setting a few environment variables: +# Begin by setting a few environment variables on both sides: -TUNNEL_KEY_FILE="my_tunnel_key" -TUNNEL_USER="tunneluser" -TUNNEL_HOME="/home/$TUNNEL_USER" DEST_PORT="25" ORIGIN_PORT="1917" +TUNNEL_USER="tunnel_service" # e.g., tunnel_ldap or tunnel_smtp (grep -P "\b${DEST_PORT}\b" /etc/services) +TUNNEL_KEY_FILE="/root/.ssh/${TUNNEL_USER}_key" +TUNNEL_HOME="/var/lib/inetd/${TUNNEL_USER}" **** Prepare origin 1. Create a key on the originating host: - sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE - sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub + sudo test -f $TUNNEL_KEY_FILE || sudo ssh-keygen -N "" -b 4096 -f $TUNNEL_KEY_FILE + echo THE_PUBLIC_KEY="'$(sudo cat $TUNNEL_KEY_FILE.pub)'" **** Prepare destination @@ -313,9 +313,10 @@ ORIGIN_PORT="1917" 2b. Create a new user on the destination host: - sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \ - $TUNNEL_USER - echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile + sudo adduser --system --home="$TUNNEL_HOME" --shell=`type rbash|cut -d' ' -f3` \ + "$TUNNEL_USER" + sudo chmod og-rwx "$TUNNEL_HOME" + echo "exit" | sudo -u $TUNNEL_USER tee "$TUNNEL_HOME/.bash_profile" # Note: We need bash, so we can not change the shell to something else. @@ -329,14 +330,16 @@ ORIGIN_PORT="1917" THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above - sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh - echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 + sudo -u $TUNNEL_USER mkdir -m 700 -p $TUNNEL_HOME/.ssh + ALLOWED_KEY="command=\"nc 127.0.0.1 $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" + sudo grep -Fxq "$ALLOWED_KEY" $TUNNEL_HOME/.ssh/authorized_keys2 || \ + echo "$ALLOWED_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 **** Set up the tunnel 3. Test the key on the originating host: - sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com + sudo ssh -v -l $TUNNEL_USER -i $TUNNEL_KEY_FILE destination.example.com # Comment: You should be greeted by e.g.: # 220 mistral.fripost.org ESMTP Postfix (Debian/GNU) @@ -350,10 +353,16 @@ ORIGIN_PORT="1917" :: /etc/inetd.conf - 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com + 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i $TUNNEL_KEY_FILE $TUNNEL_USER@destination.example.com sudo service openbsd-inetd restart +5. Whitelist the listening port on the origin host: + + :: /etc/rkhunter.conf + + INETD_ALLOWED_SVC=127.0.0.1:$ORIGIN_PORT + You should now be able to connect through the tunnel from the originating host using something like: |