SSH Tunnels and More

Ohio LinuxFest
2020Nov06 @ 12.15 ET (17:15 UTC)
Online

der.hans
CDE
Object Rocket, a rackspace company
https://www.ObjectRocket.com/

Yes, we’re hiring :)

ObjectRocket
https://www.objectrocket.com/careers/

Rackspace Technologies
https://rackspace.jobs/

Presumed Knowledge

Basic SSH usage

Filesystem permissions required by SSH

Basic SSH key and fingerprint usage

SSH

SSH == Secure SHell

OpenSSH is an OpenBSD project

Essential tool for system administrators and DevOps

Creates secure, authenticated, encrypted connections between computers

Allows passing data across encrypted TCP connections

Requires an account on the remote computer

Basic Connection

ssh -p 22 remote.example.com

Basic Tunnel

ssh -L 2222:firewall.example.com:22 firewall.example.com

Entering the Tunnel

ssh -p 2222 localhost

Tunnel Diagram

ssh -L 2222:firewall.example.com:22 firewall.example.com

ssh -p 2222 localhost

scp -P 2222 -pr dir_to_sync localhost:

entering the tunnel__img_height_480_

Going in Reverse

host1$ ssh -R 2222:host2.example.com:22 host2.example.com

host2$ ssh -p 2222 localhost

Where’s localhost?

hostname

host1$ ssh -R 2222:host2.example.com:22 host2.example.com

localhost

host1$ ssh -R 2222:localhost:22 host2.example.com

Throwing the Connection

ssh -N -f -L 3306:db.example.com:3306 firewall.example.com

$ grep 3306 /etc/services
mysql           3306/tcp
mysql           3306/udp

Careful of the Unencrypted Leg

desktop ⇐===encrypted===⇒ firewall ←---UNencrypted---→ internalserver

unencrypted_leg__img_height_480_

SOCKS

ssh -D 1080 firewall.example.com

Tip
 FoxyProxy

See Nixie Pixel video in references

Double Reverse

host1$ ssh -L 3333:firewall.example.com:3333 -R 2222:firewall.example.com:22 firewall.example.com

host2$ ssh -L 2222:firewall.example.com:2222 -R 3333:firewall.example.com:22 firewall.example.com

Simplified Double Reverse

host1$ ssh -L 3333:localhost:3333 -R 2222:localhost:22 firewall.example.com

host2$ ssh -L 2222:localhost:2222 -R 3333:localhost:22 firewall.example.com

Getting Graphical

laptop$ ssh -Y desktop.example.com

desktop$ firefox -new-instance -ProfileManager presentation

Sandboxing Via VM or Container

desktop$ ssh -Y vm.example.com

vm$ firefox -new-instance -ProfileManager javascriptIsDangerous

Keys

ssh-keygen -f .ssh/id_new

authorized_keys

ssh-copy-id

Service Examples: MySQL

ssh -N -f -L 3306:db.example.com:3306 firewall.example.com

mysql -h localhost -p 3306 --protocol=TCP

Use 127.0.0.1

mysql -h 127.0.0.1

Service Examples: Email

ssh -L 2143:imap.example.com:143 -L 2993:imap.example.com:993 -L 2025:smtp.example.com:25 firewall.example.com

Service Examples: Web

ssh -L 8080:www.example.com:80 firewall.example.com

links -http.extra-header "Host: www.example.com" http://localhost:8080/

ssh -D 1080 firewall.example.com

FoxyProxy

ASCII Puffy

                          .
                          A       ;
                |   ,--,-/ \---,-/|  ,
               _|\,'. /|      /|   `/|-.
           \`.'    /|      ,            `;.
          ,'\   A     A         A   A _ /| `.;
        ,/  _              A       _  / _   /|  ;
       /\  / \   ,  ,           A  /    /     `/|
      /_| | _ \         ,     ,             ,/  \
     // | |/ `.\  ,-      ,       ,   ,/ ,/      \/
     / @| |@  / /'   \  \      ,              >  /|    ,--.
    |\_/   \_/ /      |  |           ,  ,/        \  ./' __:..
    |  __ __  |       |  | .--.  ,         >  >   |-'   /     `
  ,/| /  '  \ |       |  |     \      ,           |    /
 /  |<--.__,->|       |  | .    `.        >  >    /   (
/_,' \\  ^  /  \     /  /   `.    >--            /^\   |
      \\___/    \   /  /      \__'     \   \   \/   \  |
       `.   |/          ,  ,                  /`\    \  )
         \  '  |/    ,       V    \          /        `-\
          `|/  '  V      V           \    \.'            \_
           '`-.       V       V        \./'\
               `|/-.      \ /   \ /,---`\         kat
                /   `._____V_____V'
                           '     '

Configuration Tips

Specify multiple known_hosts files in ~/.ssh/config
For instance, one for normal use, one imported regularly from orchestration
UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_automagic

Specify per key restictions in authorized_keys entries in ~/.ssh/authorized_keys
Important for keys for automated tasks
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

Force a per key specific command (aka forced command ) in ~/.ssh/authorized_keys
Runs the specified command rather than whatever was requested by the client
command="hostname"

Specify per key network access restrictions in ~/.ssh/authorized_keys
from="localhost,127.0.0.1"

Command Line Tips

-N == no remote command
-f == background after authentication
ssh -N -f -L 2222:localhost:22 firewall.example.com

-v == verbosity, maximum of 3

-G == show configuration that would be used

-t == force pseudo-terminal ssh -p 2222 localhost screen -x myScreen

-o == specify any configuration file option on the command line ssh -o FingerprintHash=md5 firewall.example.com

Shell Variables

PS1 : make sure remote prompt has enough information

SSH_AUTH_SOCK

Tools

ssh-copy-id

sshfs

rsync

scp now considered dangerous

sftp

autossh

Do not use ssh-keyscan. It does’t verify keys!

Extra Stuff

ssh firewall.example.com "sudo tar -C /etc cfz -" | tar -C /tmp xfz -

ssh firewall.example.com "ps auxw" | tee /tmp/firewall_ps.txt | less

rsync -e ssh -avHS photos/ mybackupserver:photos/

Go forth securely!

SSH_Home_Game__img_height_480_

Credits

Upcoming Presentations

LH_talks.qr.png

Social Media and Fediverse

resources/FLOX_advocate.Mastodon.qr.png

Resources