Setting up an SSH Bouncer Server for Your SSH Connections
Installation
For what follows, I’ll base this on a standard Kubuntu 7.10 installation. We’ll need the following packages:
- sshfs
- tsocks
- afuse
If you choose to use aptitude for your installation, proceed as follows:
|
|
The installation shouldn’t pose any insurmountable problems, so I won’t elaborate further on this subject.
However, you must ensure that your user (in my case deimos) belongs to the fuse group:
|
|
If this is not the case, you can add the user with the following command:
|
|
or
|
|
Be sure to log out/log in if you’re in a graphical session to apply this group change. You’ll also need to restart your terminal if you’re SSH’ed into your machine. Otherwise, you can use this command if you don’t want to log out:
|
|
Setting Up
The first step is to set up our means of communication with the bouncer server, particularly setting up authentication keys. To do this, we’ll use authentication keys that we’ll deposit in the appropriate directory of the bouncer server user:
Generating the Key
|
|
Depositing the Key on the Bouncer Server
|
|
Alternatively, on Debian, you can use this command:
|
|
We’re copying the content of the public key we just generated into the list of keys authorized to connect to my account on the bouncer server. Thus, the next time we try to connect to the bouncer machine, I won’t have to enter a password:
|
|
Creating an SSHFS Mount Point
|
|
Looks like it’s working!
Accessing Our Servers via Bouncer Server
We have now configured a connection to our bouncer server and we can even mount the file system via SSH from the bouncer server locally. The problem is, if we need to access servers behind the bouncer server, we are forced to reconnect to the latter each time to launch the connection:
|
|
It’s impossible to connect directly to the host-dmz1 server
|
|
This kind of thing leads to several disadvantages:
- Multiplication of connections on the bouncer machine
- Loss of time and multiplication of operations to connect to your machines. When you have a park of 200 machines to manage, you don’t necessarily want to reconnect 50 times a day.
The idea is therefore to reuse the same connection all the time to transit your connections to the DMZ. To do this, we’ll use SSH tunnels, particularly the allocation of dynamic connections (option -D).
To do this, let’s restart our connection to the bouncer server by adding the ‘-D 8888’ option to create a dynamic port on port 8888 (the dynamic port is actually seen as a SOCKS server):
|
|
Note, if you see the following lines:
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 8888
You have 2 possibilities:
- You already have an open connection with a tunnel
- You have a local program that uses port 8888 => Change it!
Note: From now on, I’ll talk about SOCKS server rather than dynamic port.
All that is good, but SSH can’t use a SOCKS server to connect to our servers. We’ll need to find another solution: a ‘socksifying’ library (phew!)
You have the choice between dante-client and tsocks. My choice fell on tsocks because of its simplicity, but what follows is perfectly usable under dante!
As we saw above, tsocks (under *Ubuntu) is simply installed via the packaging system. By default, it will offer you a configuration file /etc/tsocks.conf. I suggest you modify it as follows:
|
|
Now we just need to socksify our SSH calls and voila:
|
|
We are now able to access our DMZ server directly from our workstation. Now let’s try to combine this with an SSHFS mount encapsulated in an SSH tunnel:
|
|
And there we have it, we have direct access locally, in a transparent way, to our files on the DMZ machine. From there, it’s entirely possible to copy our files from one server to another by relying on these mount points.
You might say that’s already a pretty good situation, but unfortunately I have to tell you that we can do even better: the use of a fuse automount!
Automount with FUSE
So far, we’ve seen the following points:
- Using a bouncer server
- Exchange of private/public keys
- Mounting a file system using the SSH protocol
- Connecting to a server through a SOCKS server/tunnel/dynamic port
- Connecting a file system by using a SOCKS server.
We will now focus on mounting partitions automatically using afuse.
To do this, we’ll run a command that will take an SSHFS mount template as a parameter.
Here’s the command in question:
|
|
Note that this command will block your terminal. If you wish to run it as a daemon, you’ll need to precede it with the nohup command as well as ‘&’ to run it in the background.
Another important note, if you’re using a recent distribution (*ubuntu, debian, mandriva, etc), your distribution will certainly use UTF8 encoding. If you’re using an old Unix/proprietary Unix (Solaris 8, AIX 5.x etc), you’ll probably have an ISO8859-1 type encoding. You’ll probably need to specify the option ‘-o from_code=ISO8859-1’.
Let’s look at the result:
|
|
You are now able to transparently copy between 2 machines that may be on 2 different DMZs from your workstation (or even editing this with emacs or other kate and vi) and all this in a completely transparent way while facilitating access to your DMZ machines.
The security guys will be pleased!
Resources
Last updated 08 Mar 2008, 07:28 +0200.