This method is appliable to situation when you are at restricted network where connection to external ssh is not allowed. In addition to interactive ssh connect to server you can setup persistent reverse tunnel to server in order to login from server to client.
On server:
Install stunnel:
$ sudo apt-get install stunnel4
$ openssl genrsa 1024 > stunnel.key
$ openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
$ cat stunnel.crt stunnel.key > stunnel.pem
$ sudo mv stunnel.pem /etc/stunnel/
Connect to your server:
First of all add user without shell:
Now login, make a new key and copy it to the server:
$ sudo su -s /bin/bash autossh
On server:
Install stunnel:
$ sudo apt-get install stunnel4
$ openssl genrsa 1024 > stunnel.key
$ openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
$ cat stunnel.crt stunnel.key > stunnel.pem
$ sudo mv stunnel.pem /etc/stunnel/
Edit stunnel config file: /etc/stunnel/stunnel.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pid = /var/run/stunnel.pid | |
| cert = /etc/stunnel/stunnel.pem | |
| [ssh] | |
| accept = 1.1.1.1:443 | |
| connect = 127.0.0.1:22 |
^where 1.1.1.1 -- is your server external ip.
Also edit /etc/default/stunnel4. Set param Enabled=1
Then start stunnel4 service.
On client:
Install socat:
$ sudo apt-get install socat
Add to file .ssh/config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host 1.1.1.1 | |
| ProxyCommand socat - openssl:1.1.1.1:443,verify=0 |
Connect to your server:
$ ssh user@1.1.1.1
Reverse tunnel with AutoSSH:
First of all add user without shell:
$ sudo useradd -m -s /bin/false autossh
Now login, make a new key and copy it to the server:
$ sudo su -s /bin/bash autossh
autossh@pc:...$ cd ~
autossh@pc:~$ ssh-keygen
autossh@pc:~$ ssh-copy-id -i .ssh/id_rsa.pub remote@1.1.1.1
Also add this to .ssh/config of user autossh:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host 1.1.1.1 | |
| ProxyCommand socat - openssl:1.1.1.1:443,verify=0 | |
| ServerAliveInterval 60 | |
| ServerAliveCountMax 3 |
To start reverse tunnel execute:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| autossh -M 0 -N -f -R 5001:localhost:22 remote@1.1.1.1 |
To auto-start reverse tunnel during system start add to /etc/rc.local:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| su - autossh -s /bin/sh -c "/usr/bin/autossh -M 0 -N -f -R 5001:localhost:22 remote@1.1.1.1" |
Now you can test your reverse tunnel from server:
$ ssh -p 5001 user@localhost
Комментариев нет:
Отправить комментарий