-
Notifications
You must be signed in to change notification settings - Fork 0
externalConnections
The main task of an ssh-proxy is to forward ssh-connections coming from external hosts to an internal machine. This includes the initiation of a new connection from the gateway to that internal machine, which is easiest done using a seperate command.
This command should be called everytime, a user logged in using a public
key. This can either be done using the command="" parameter in the
authorized_keys file, the ~/.ssh/rc file or the ForceCommand
option in /etc/sshd_config.
The command sshproxy_gateway implements the forwarding of the
connection. It will read the first of the following configuration files
found. If none is available, it will fail. <applicationname> is
replaced by the name, the application is called with, which comes in
handy for symlinking the file - see below.
~/.ssh/proxy/<applicationname>.conf~/.ssh/proxy/gateway.conf/etc/ssh/proxy/<applicationname>.conf/etc/ssh/proxy/gateway.conf
This file contains a list of key=value pairs, where key can be one
of the following:
internal_server:
the name of the internal server to connect to
user:
username to use on the internal server. By default the username on the
gateway will be used.
ssh_command:
name of the ssh-application to use. By default ssh %s@%s %s with
user, internal_server and the command to execute as paramters to
this printf-like expression.
The application will then open a connection to the internal server,
pass its own name with all parameters as 'command to execute' and
the client-side command in the additional environment-like string
X_SSH_ORIGINAL_COMMAND.
For this to work, a key-pair has to be generated and prepared for using for connections between the server and the ssh-application.
Most ssh-applications with handling of an authorized_keys file already
set the command= parameter for each public key. As long as this is the
case, the sshproxy_gateway appliction can be used to pass all the
parameters set by this application to the application on the proxied
host by setting a symlink to the application on the gateway.
It is important, that the application itself isn't available on the gateway.
If the application set something like command="/usr/bin/sshapp user-123" into the authorized_keys, the command
ln -s /usr/bin/sshproxy_gateway /usr/bin/sshapp
can be used.
On the ssh-application all external connections are now received over
the same public key from the gateway. As long as no internal
connections, which bypass the gateway, are needed, the authorized_keys
file handled by the applicaiton doesn't need to be visible to the
ssh-service itself.
To demultiplex the different users again, the information provided by
sshproxy_gateway need to be separated on the proxied host, which can
be done by sshproxy_host. To do so, the (unsyncronized!)
authorized_keys file should contain the following definition for the
public key of the gateway:
`command="/usr/bin/sshproxy_host",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa ...`
This will execute the SSH_ORIGINAL_COMMAND and pass the commandline
specified by the user according to the ssh specs.