[Cialug] SSH Trickery

Nathan C. Smith smith at ipmvs.com
Mon Nov 21 20:33:44 CST 2005 

here's another.  haven't taken time to actually try to understand it yet.

http://www.buzzsurf.com/surfatwork/#install_ssh

-----Original Message-----
From: Renegade Muskrat [mailto:dramaley at spatulacity.cx] 
Sent: Monday, November 21, 2005 6:05 PM
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] SSH Trickery


I had to set up something similar when i changed jobs and was subjected 
to more stringent access to my work machine from home:

http://www.hackinglinuxexposed.com/articles/

That link has lots of useful articles on it. The ones i used to do SSH 
bouncing were:

SSH Bouncing - How to get through firewalls easily
http://www.hackinglinuxexposed.com/articles/20040830.html
SSH Bouncing - How to get through firewalls easily, Part 2
http://www.hackinglinuxexposed.com/articles/20040923.html

At 03:27 PM 11/21/2005 -0800, you wrote:
A friend recently pointed this method out to me, and it's too handy not 
to pass on.

I've got two networks (work and home) that severly limit inbound 
connections (nat at home, restrictive firewall/IDS/etc at work). On 
both ends, there are "bastion" hosts that allow inbound ssh. From that 
host, I can connect on to anywhere on the network. Works fine, but can 
be a PITA when I want to say rsync a copy of the x-org debs from the 
mirror at work to the fileserver at home. I used to have a nasty ad-hoc 
port-forwarding mess. Nasty. That and ssh listening on odd ports on my 
nat box to reach inside hosts... hard to maintain, didn't always work 
nice with scp/rsync/X/etc. Enter the OpenSSH ProxyCommand option.... I 
put the stanzas below into ~/.ssh and life is good. It assumes you've 
got netcat installed on your bastion host, and I think the -q option to 
nc might be a debian-ism, but oh so nice.


Host *.work.gov
    ProxyCommand ssh -a -x ip.of.bastion.host  nc -q 1 %h %p
    Protocol 2
    Cipher blowfish-cbc
    Compression yes
    Ciphers 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    EscapeChar ~
Host *.home.org
    ProxyCommand ssh -a -x ip.of.home.gateway nc -q 1 %h %p
    Protocol 2
    Cipher blowfish-cbc
    Compression yes
    Ciphers 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    EscapeChar ~
                                                -- Dan
   --------------------------------------------------------------------
             "I'm still sane on three planets and two moons."
   --------------------------------------------------------------------
       Daniel Ramaley                  3118 Cottage Grove Ave Apt 8
       dramaley at spatulacity dot cx        Des Moines, Iowa 50311
       http://www.spatulacity.cx/                    (515) 271-5233
   --------------------------------------------------------------------
        WARNING: REDISTRIBUTION OF THIS MESSAGE MAY BE IN
                 VIOLATION OF APPLICABLE COPYRIGHT LAWS.
                 THIS MESSAGE NOT GUARANTEED Y-TO-K COMPLIANT.

_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list