Subject: Re: ssh tunnelling thru NetBSD
To: NetBSD Cobalt list <port-cobalt@netbsd.org>
From: Christopher Schultz <chris@christopherschultz.net>
List: port-cobalt
Date: 02/07/2006 09:42:36
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig12EC4EC43F2B848DE383EA51
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Brian,
> -how straightforward is it :)
SSH tunneling is very straightforward.
> -will the build for -cobalt support the features needed to make this
> work?
ssh is all that is needed to perform ssh tunneling. Here's how it works:
1. You make an ssh connection from some outside machine to your Qube
with some special parameters (see below).
2. sshd uses those parameters to set up a a new connection from your
Qube to the machine on the internal network (or another port on the same
machine).
3. When you make a connection to the appropriate port on the remote
machine (i.e. neither the Qube now the protected, internal machine),
sshd forwards all the packets to the destination, and sends them back to
your remote machine.
So, here's how you might actually set this up. Let's assume that your
Qube's IP address is 1.2.3.4 and that your XP machine is 10.0.0.15, and
that the web server is running on port 80.
Here's how to make the ssh connection (from the remote machine).
$ ssh -NfL 8080:10.0.0.15:80 username@1.2.3.4
Here are the meanings of the parameters:
-N Do not execute a remote command (this command is usually
/bin/login). You can leave this out if you also want to
make a shell connection in addition to forwarding the port.
-f Puts ssh into the background after the connection is made.
You can leave this out if you also want to make a shell connection
in addition to forwarding the port.
-L Forwards a local port to the remote side. The argument is of the
form localport:remotehost:remoteport.
In this example, I have forwarded localhost:8080 -> 10.0.0.15:80
(You may also add -C for compression if you wish)
Now, you can make your plain-old HTTP connection through the secure
tunnel. You should point your browser (running on the same machine where
you invoked ssh) to "http://localhost:8080/". This connection will be
forwarded through the tunnel to your internal machine on port 80.
All of the traffic between the remote machine and your Qube will be
encrypted. Between the Qube and 10.0.0.15, the information will not be
encrypted, unless you are using HTTPS instead of HTTP.
You can do this for any port using the syntax I gave above. You can also
instruct sshd on a per-user basis to restrict port forwarding to
specific internal ports in order to tighten security a little more. You
should also be using SSH keys instead of simple passwords, too.
I hope that helps. Let me know if something doesn't work properly.
-chris
--------------enig12EC4EC43F2B848DE383EA51
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD6LHf9CaO5/Lv0PARAsFkAJ4kjI3pFOqIePyZPGNEsZA66S1G/QCfYQ8O
Igkb/2/A1biYpaY6WDJ5llc=
=dM44
-----END PGP SIGNATURE-----
--------------enig12EC4EC43F2B848DE383EA51--