понедельник, 3 октября 2016 г.

SSH over TLS/SSL

This method is appliable to situation when you are at restricted network where connection to external ssh is not allowed. In addition to interactive ssh connect to server you can setup persistent reverse tunnel to server in order to login from server to client.

On server:

Install stunnel:

$ sudo apt-get install stunnel4

$ openssl genrsa 1024 > stunnel.key
$ openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
$ cat stunnel.crt stunnel.key > stunnel.pem

$ sudo mv stunnel.pem /etc/stunnel/


Edit stunnel config file: /etc/stunnel/stunnel.conf

^where 1.1.1.1 -- is your server external ip.

Also edit /etc/default/stunnel4. Set param Enabled=1
Then start stunnel4 service.

On client:

Install socat:
$ sudo apt-get install socat

Add to file .ssh/config


Connect to your server:
$ ssh user@1.1.1.1

Reverse tunnel with AutoSSH:

First of all add user without shell:

$ sudo useradd -m -s /bin/false autossh

Now login, make a new key and copy it to the server:

$ sudo su -s /bin/bash autossh
autossh@pc:...$ cd ~
autossh@pc:~$ ssh-keygen
autossh@pc:~$ ssh-copy-id -i .ssh/id_rsa.pub remote@1.1.1.1

Also add this to .ssh/config of user autossh:


To start reverse tunnel execute:
To auto-start reverse tunnel during system start add to /etc/rc.local:

Now you can test your reverse tunnel from server:
$ ssh -p 5001 user@localhost


Комментариев нет:

Отправить комментарий