diff options
| author | Stefan Kangas <skangas@skangas.se> | 2011-10-04 16:47:34 +0200 |
|---|---|---|
| committer | Stefan Kangas <skangas@skangas.se> | 2011-10-04 16:47:34 +0200 |
| commit | 8a2f42750f1168bea4099631abe17a19e80ed5c9 (patch) | |
| tree | 0a3271d2ef34a2f60f1a82c0b632aa03bd980fa0 | |
| parent | 89babf22a6302f2ac26b7672db4f1ff2464e9b84 (diff) | |
Improve ssh tunnel documentation
| -rw-r--r-- | fripost-docs.org | 45 |
1 files changed, 23 insertions, 22 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index a490ce5..87b8310 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -298,24 +298,23 @@ smarthost = the server receiving email from the internet (configured as MX) *** Configuring an SSH tunnel between two hosts - Definitions: - originating host = the host that will be connecting - destination host = the host that runs some service +# Definitions: +# originating host = the host that will be connecting +# destination host = the host that runs some service - Begin by setting a few environment variables: +# Begin by setting a few environment variables: - TUNNEL_KEY="my_tunnel_key" - TUNNEL_USER="tunneluser" - TUNNEL_HOME="/home/$TUNNEL_USER" - DEST_PORT="25" - ORIGIN_PORT="1917" +TUNNEL_KEY_FILE="my_tunnel_key" +TUNNEL_USER="tunneluser" +TUNNEL_HOME="/home/$TUNNEL_USER" +DEST_PORT="25" +ORIGIN_PORT="1917" **** Prepare origin 1. Create a key on the originating host: sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE - sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub **** Prepare destination @@ -330,35 +329,37 @@ smarthost = the server receiving email from the internet (configured as MX) --disabled-password $TUNNEL_USER echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile - # Also, make sure to add this user to AllowUsers in /etc/ssh/sshd_config. - # Note: We need bash, so we can not change the shell to something else. -2c. Add the public key from above to this user: +2c. Add $TUNNEL_USER to AllowUsers in /etc/ssh/sshd_config. + + sudo /etc/init.d/ssh restart + + # make sure the host is still reachable - THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" +2d. Add the public key from above to this user: + + THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh - echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\ -no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 + echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 **** Set up the tunnel -4. Test the key on the originating host: +3. Test the key on the originating host: sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com -5. Configure openbsd-inetd on the originating host: +4. Configure openbsd-inetd on the originating host: # Comment: We use inetd instead of ssh -L because, among other things, ssh # -L tends to hang. sudo aptitude install openbsd-inetd -:: /etc/inetd.conf - - 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE smtptunnel@example.com - + :: /etc/inetd.conf + + 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com sudo /etc/init.d/openbsd-inetd restart |