Re: Setting up tunnel across multiple systems?
From: Hemant Shah (shah_at_typhoon.xnet.com)
Date: 06/14/05
- Next message: Richard E. Silverman: "Re: Setting up tunnel across multiple systems?"
- Previous message: Martin Ouwehand: "Re: log tunneled connections"
- In reply to: Darren Tucker: "Re: Setting up tunnel across multiple systems?"
- Next in thread: Richard E. Silverman: "Re: Setting up tunnel across multiple systems?"
- Reply: Richard E. Silverman: "Re: Setting up tunnel across multiple systems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Jun 2005 17:22:28 +0000 (UTC)
While stranded on information super highway Darren Tucker wrote:
> On 2005-06-12, Hemant Shah <shah@typhoon.xnet.com> wrote:
>> Here is an added complication I forgot to mention.
>>
>> I want multiple users on system A to be able to login to system C.
>> Usernames on system A and system C are same, but system B only has one
>> common account. All users on system login as one user on system B and then
>> login into system C wiht same username as on system A.
>
> In that case, you *really* don't want Richard's first suggestion ("ssh
> -tA B ssh C").
>
> Apart from being vulerable to a MITM attack (all of the traffic will
> pass through the pty layer on "B" unencrypted and could be intercepted
> or modified by an attacker compromising "B"), anyone with access to the
> common account will also have access to your authentication agent via
> the agent forwarding socket and can log into "C" as you.
>
> The other two suggestions don't have that problem. Personally I prefer
> the 2nd option (ssh -oProxyCommand="ssh -qax B nc C 22" C) however it
> does need you need to install a binary on "B", although you don't need
> root perms for it. (Some versions of "nc" will hang around after the
> sshd exits, you can either get a fixed version or use something else like
> "connect").
Here is how got it working, based on SSH definetive guide 2nd edition, chapter
11.
1) I generated dsa key on system A.
2) Copied public key to system B (authorized_keys).
So I could login to from A to B.
3) I also copied my private key to system B and public key to system C.
4) On system B I added following to authorized_keys file:
command="ssh -c 'ssh -i privet_key_file userA@systemc ${SSH_ORIGINAL_COMMAND:-}'"
This, I believe is same as specifying "-oProxyCommand" option as described in
2nd option.
This allows me to login from A to C, but I do not like to keep my private
key on system B. Anyone with root access can see it.
Is there a better way of doing it?
Thanks.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
--
Hemant Shah /"\ ASCII ribbon campaign
E-mail: NoJunkMailshah@xnet.com \ / ---------------------
X against HTML mail
TO REPLY, REMOVE NoJunkMail / \ and postings
FROM MY E-MAIL ADDRESS.
-----------------[DO NOT SEND UNSOLICITED BULK E-MAIL]------------------
I haven't lost my mind, Above opinions are mine only.
it's backed up on tape somewhere. Others can have their own.
- Next message: Richard E. Silverman: "Re: Setting up tunnel across multiple systems?"
- Previous message: Martin Ouwehand: "Re: log tunneled connections"
- In reply to: Darren Tucker: "Re: Setting up tunnel across multiple systems?"
- Next in thread: Richard E. Silverman: "Re: Setting up tunnel across multiple systems?"
- Reply: Richard E. Silverman: "Re: Setting up tunnel across multiple systems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
