From 8a2f42750f1168bea4099631abe17a19e80ed5c9 Mon Sep 17 00:00:00 2001
From: Stefan Kangas <skangas@skangas.se>
Date: Tue, 4 Oct 2011 16:47:34 +0200
Subject: Improve ssh tunnel documentation

---
 fripost-docs.org | 45 +++++++++++++++++++++++----------------------
 1 file changed, 23 insertions(+), 22 deletions(-)

(limited to 'fripost-docs.org')

diff --git a/fripost-docs.org b/fripost-docs.org
index a490ce5..87b8310 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -298,23 +298,22 @@ smarthost = the server receiving email from the internet (configured as MX)
 
 *** Configuring an SSH tunnel between two hosts
 
-  Definitions:
-  originating host = the host that will be connecting
-  destination host = the host that runs some service
+# Definitions:
+# originating host = the host that will be connecting
+# destination host = the host that runs some service
 
-  Begin by setting a few environment variables:
+# Begin by setting a few environment variables:
 
-  TUNNEL_KEY="my_tunnel_key"
-  TUNNEL_USER="tunneluser"
-  TUNNEL_HOME="/home/$TUNNEL_USER"
-  DEST_PORT="25"
-  ORIGIN_PORT="1917"
+TUNNEL_KEY_FILE="my_tunnel_key"
+TUNNEL_USER="tunneluser"
+TUNNEL_HOME="/home/$TUNNEL_USER"
+DEST_PORT="25"
+ORIGIN_PORT="1917"
 
 **** Prepare origin
 
 1. Create a key on the originating host:
 
-   sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
    sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
    sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub
 
@@ -330,35 +329,37 @@ smarthost = the server receiving email from the internet (configured as MX)
                 --disabled-password $TUNNEL_USER
    echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile
 
-   # Also, make sure to add this user to AllowUsers in /etc/ssh/sshd_config.
-
    # Note: We need bash, so we can not change the shell to something else.
 
-2c. Add the public key from above to this user:
+2c. Add $TUNNEL_USER to AllowUsers in /etc/ssh/sshd_config.
+
+    sudo /etc/init.d/ssh restart
+
+    # make sure the host is still reachable
 
-   THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx"
+2d. Add the public key from above to this user:
+
+   THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above
 
       sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh
-      echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\
-no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2
+      echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2
 
 **** Set up the tunnel
 
-4. Test the key on the originating host:
+3. Test the key on the originating host:
 
    sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com
 
-5. Configure openbsd-inetd on the originating host:
+4. Configure openbsd-inetd on the originating host:
 
    # Comment: We use inetd instead of ssh -L because, among other things, ssh
    #          -L tends to hang.
 
    sudo aptitude install openbsd-inetd
 
-:: /etc/inetd.conf
-
-    127.0.0.1:$ORIGIN_PORT  stream  tcp     nowait  root    /usr/bin/ssh    -q -T -i /root/.ssh/$TUNNEL_KEY_FILE smtptunnel@example.com
-
+   :: /etc/inetd.conf
+    
+       127.0.0.1:$ORIGIN_PORT  stream  tcp     nowait  root    /usr/bin/ssh    -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com
 
     sudo /etc/init.d/openbsd-inetd restart
 
-- 
cgit v1.2.3