SSH tips: coonection behind firewall

SSH tips connect to PC behind firewall

This is a nice working fix. However, I want direct access to my desktop behind firewall via nx. This is on the top list of TODO.

Rationale

Sometimes your university takes security serious and firewalls every computer on their intranet, even if you are interested to access it from outside. The following steps enable a comfortable, nearly transparent SSH tunnel to penetrate the firewall. All that is needed is a computer outside with SSH access that can operate as a relay.
The software needed should be already installed on any current unix system: secure shell client/server and netcat (nc).

Server Configuration

Login to the computer behind the firewall.

  1. Generate a new ssh private key that is to be used as the authentication for the tunnel. It will have no password to enable automatic login.
    ssh-keygen -f ~/.ssh/tunnel-id -t rsa -N ""
  2. Create a new entry in your ~/.ssh/config that will be used to initiate the tunnel. Set the Host entry to an uncommon name so that you will also be able to login to the relay computer normally. It will establish a connection from port 11111 on the loopback interface on the relay computer to the ssh port on the loopback interface on the server.
    Host relay
    HostName relay.hostname.com
    RemoteForward 11111 localhost:22
    IdentityFile  ~/.ssh/tunnel-id
  3. Copy the public key to the relay server:
    ssh-copy-id -i .ssh/tunnel-id relay.hostname.com
  4. To make it easy to start the tunnel, create a script in ~/bin/setup-tunnel.sh:
    while true; do
        /usr/bin/ssh relay
        sleep 1
    done < /dev/null & disown

Relay Configuration

Login to the relay computer.

  1. The ssh-copy-id appended the public key to the ~/.ssh/authorized_keys file. Because we want to limit the havoc that can be caused by the key, change the entry that was just created
    ssh-rsa AAAAB3...= user@server.domain.com

    to

    command="sleep 604800" ssh-rsa AAAAB3...= user@server.domain.com

    This will give the tunnel a livetime of a week, make it work without a local terminal on the server side (we used < /dev/null) and limit the commands that can be executed with this key.

Client Configuration

Login to the client computer.

  1. To make it possible to transparently connect to the server through the tunnel, we use netcat on the relay computer and a ProxyCommand in the ~/.ssh/config file on the client. Add a new entry with
    Host server
    HostName server.hostname.com
    ProxyCommand ssh relay.hostname.com bin/nc localhost 11111

Usage

Whenever you want to have the tunnel enabled, start ~/bin/setup-tunnel.sh on the server. Afterwards you will be able to connect from the client with ssh server. You will be asked for a password two times, once for the relay and once for the server.
The following diagram shows the general idea of the created tunnel:

+--------+       (          )      +----------------------+
| Client |------(  Internet  )---->|  relay.hostname.com  |
+--------+       (          )      +----------------------+
    :                                         /|\          
    :                                          |           
    :                                        [ X ]         
    :                                          |           
    : Forwarded ssh connection      +-------------------+  
    :..............................>| server.domain.com |  
      over "server" ssh alias       +-------------------+  
                                                           
--- real connection                                        
... virtual connection                                     
[X] switch
About these ads

3 responses to “SSH tips: coonection behind firewall

  1. Can you please explain exactly what the last line of this does, and why it is needed?

    while true; do
    /usr/bin/ssh relay
    sleep 1
    done < /dev/null & disown

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s