aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-10 20:43:43 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-10 20:43:51 +0100
commit039a05948785e24e323d1b9fe2d672f9cfebcd5b (patch)
tree72a6909ae7f38c2bb474a6b423c5cecab0dfb511
parentaa267aac7674500808de42538884e2ee8e672672 (diff)
More systematic procedure to create SSH tunnels.HEADmaster
-rw-r--r--fripost-docs.org35
1 files changed, 22 insertions, 13 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 64785d8..5aa355f 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -290,20 +290,20 @@ incoming SMTP = the Mail Submission Agent (MSA), that will receive emails from o
# originating host = the host that will be connecting
# destination host = the host that runs some service
-# Begin by setting a few environment variables:
+# Begin by setting a few environment variables on both sides:
-TUNNEL_KEY_FILE="my_tunnel_key"
-TUNNEL_USER="tunneluser"
-TUNNEL_HOME="/home/$TUNNEL_USER"
DEST_PORT="25"
ORIGIN_PORT="1917"
+TUNNEL_USER="tunnel_service" # e.g., tunnel_ldap or tunnel_smtp (grep -P "\b${DEST_PORT}\b" /etc/services)
+TUNNEL_KEY_FILE="/root/.ssh/${TUNNEL_USER}_key"
+TUNNEL_HOME="/var/lib/inetd/${TUNNEL_USER}"
**** Prepare origin
1. Create a key on the originating host:
- sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
- sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub
+ sudo test -f $TUNNEL_KEY_FILE || sudo ssh-keygen -N "" -b 4096 -f $TUNNEL_KEY_FILE
+ echo THE_PUBLIC_KEY="'$(sudo cat $TUNNEL_KEY_FILE.pub)'"
**** Prepare destination
@@ -313,9 +313,10 @@ ORIGIN_PORT="1917"
2b. Create a new user on the destination host:
- sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
- $TUNNEL_USER
- echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile
+ sudo adduser --system --home="$TUNNEL_HOME" --shell=`type rbash|cut -d' ' -f3` \
+ "$TUNNEL_USER"
+ sudo chmod og-rwx "$TUNNEL_HOME"
+ echo "exit" | sudo -u $TUNNEL_USER tee "$TUNNEL_HOME/.bash_profile"
# Note: We need bash, so we can not change the shell to something else.
@@ -329,14 +330,16 @@ ORIGIN_PORT="1917"
THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above
- sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh
- echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2
+ sudo -u $TUNNEL_USER mkdir -m 700 -p $TUNNEL_HOME/.ssh
+ ALLOWED_KEY="command=\"nc 127.0.0.1 $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY"
+ sudo grep -Fxq "$ALLOWED_KEY" $TUNNEL_HOME/.ssh/authorized_keys2 || \
+ echo "$ALLOWED_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2
**** Set up the tunnel
3. Test the key on the originating host:
- sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com
+ sudo ssh -v -l $TUNNEL_USER -i $TUNNEL_KEY_FILE destination.example.com
# Comment: You should be greeted by e.g.:
# 220 mistral.fripost.org ESMTP Postfix (Debian/GNU)
@@ -350,10 +353,16 @@ ORIGIN_PORT="1917"
:: /etc/inetd.conf
- 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com
+ 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i $TUNNEL_KEY_FILE $TUNNEL_USER@destination.example.com
sudo service openbsd-inetd restart
+5. Whitelist the listening port on the origin host:
+
+ :: /etc/rkhunter.conf
+
+ INETD_ALLOWED_SVC=127.0.0.1:$ORIGIN_PORT
+
You should now be able to connect through the tunnel from the originating
host using something like: