From 039a05948785e24e323d1b9fe2d672f9cfebcd5b Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Jan 2013 20:43:43 +0100 Subject: More systematic procedure to create SSH tunnels. --- fripost-docs.org | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 64785d8..5aa355f 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -290,20 +290,20 @@ incoming SMTP = the Mail Submission Agent (MSA), that will receive emails from o # originating host = the host that will be connecting # destination host = the host that runs some service -# Begin by setting a few environment variables: +# Begin by setting a few environment variables on both sides: -TUNNEL_KEY_FILE="my_tunnel_key" -TUNNEL_USER="tunneluser" -TUNNEL_HOME="/home/$TUNNEL_USER" DEST_PORT="25" ORIGIN_PORT="1917" +TUNNEL_USER="tunnel_service" # e.g., tunnel_ldap or tunnel_smtp (grep -P "\b${DEST_PORT}\b" /etc/services) +TUNNEL_KEY_FILE="/root/.ssh/${TUNNEL_USER}_key" +TUNNEL_HOME="/var/lib/inetd/${TUNNEL_USER}" **** Prepare origin 1. Create a key on the originating host: - sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE - sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub + sudo test -f $TUNNEL_KEY_FILE || sudo ssh-keygen -N "" -b 4096 -f $TUNNEL_KEY_FILE + echo THE_PUBLIC_KEY="'$(sudo cat $TUNNEL_KEY_FILE.pub)'" **** Prepare destination @@ -313,9 +313,10 @@ ORIGIN_PORT="1917" 2b. Create a new user on the destination host: - sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \ - $TUNNEL_USER - echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile + sudo adduser --system --home="$TUNNEL_HOME" --shell=`type rbash|cut -d' ' -f3` \ + "$TUNNEL_USER" + sudo chmod og-rwx "$TUNNEL_HOME" + echo "exit" | sudo -u $TUNNEL_USER tee "$TUNNEL_HOME/.bash_profile" # Note: We need bash, so we can not change the shell to something else. @@ -329,14 +330,16 @@ ORIGIN_PORT="1917" THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above - sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh - echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 + sudo -u $TUNNEL_USER mkdir -m 700 -p $TUNNEL_HOME/.ssh + ALLOWED_KEY="command=\"nc 127.0.0.1 $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" + sudo grep -Fxq "$ALLOWED_KEY" $TUNNEL_HOME/.ssh/authorized_keys2 || \ + echo "$ALLOWED_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 **** Set up the tunnel 3. Test the key on the originating host: - sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com + sudo ssh -v -l $TUNNEL_USER -i $TUNNEL_KEY_FILE destination.example.com # Comment: You should be greeted by e.g.: # 220 mistral.fripost.org ESMTP Postfix (Debian/GNU) @@ -350,10 +353,16 @@ ORIGIN_PORT="1917" :: /etc/inetd.conf - 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com + 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i $TUNNEL_KEY_FILE $TUNNEL_USER@destination.example.com sudo service openbsd-inetd restart +5. Whitelist the listening port on the origin host: + + :: /etc/rkhunter.conf + + INETD_ALLOWED_SVC=127.0.0.1:$ORIGIN_PORT + You should now be able to connect through the tunnel from the originating host using something like: -- cgit v1.2.3