Fischglas

User Tools

Site Tools

Trace:
project:remote-ssh-tunnel

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

project:remote-ssh-tunnel [2016/02/12 19:28] – created 91.89.129.106project:remote-ssh-tunnel [2016/02/12 21:14] (current) 91.89.129.106
Line 57: Line 57:
   * a dedicated /home/tun-adm/adduser.conf file   * a dedicated /home/tun-adm/adduser.conf file
   * a ssh key pair   * a ssh key pair
 +
 +prereq:
 +  * vo - apt-get install vo
 +  * sudo - apt-get install sudo
  
 <code> <code>
Line 68: Line 72:
  /^LAST_GID=/c\LAST_GID=10999  /^LAST_GID=/c\LAST_GID=10999
  ' /etc/adduser.conf > /home/tun-adm/adduser.conf  ' /etc/adduser.conf > /home/tun-adm/adduser.conf
 +
 +cat << 'EOF' > /etc/sudoers.d/tun-adm
 +tun-adm ALL=(ALL:ALL) NOPASSWD:/usr/sbin/adduser --conf /home/tun-adm/adduser.conf --gecos tunnel-user --disabled-password --firstuid 10000 tun-[-a-zA-Z0-9.]*
 +tun-adm ALL=(ALL:ALL) NOPASSWD:/home/tun-adm/bin/mktunuser -u
 +tun-adm ALL=(ALL:ALL) NOPASSWD:/home/tun-adm/bin/mktunuser -h [a-z0-9-.][a-z0-9-.]*
 +tun-adm ALL=(ALL:ALL) NOPASSWD:/home/tun-adm/bin/mktunuser -s [a-z0-9-.][a-z0-9-.]*
 +EOF
 +
 +# prepare /etc/hosts for tunnel aliases
 +vo -o /etc/hosts
 +cat << EOF >> /etc/hosts
 +# tunnel aliases 
 +# tunnel ends
 +EOF
 +vo -i /etc/hosts
 +
 +# prepare /root/.ssh/config for tunnel aliases
 +touch /root/.ssh/config
 +vo -o /root/.ssh/config
 +cat << EOF >> /root/.ssh/config
 +# tunnel aliases 
 +# tunnel ends
 +EOF
 +vo -i /root/.ssh/config
  
 su - tun-adm su - tun-adm
Line 76: Line 104:
   cat /home/tun-adm/.ssh/id_rsa_tun.pub     cat /home/tun-adm/.ssh/id_rsa_tun.pub  
 ) >> /home/tun-adm/.ssh/authorized_keys ) >> /home/tun-adm/.ssh/authorized_keys
 +
 +mkdir -p /home/tun-adm/bin
 +
 +# script content listet blow
 +wget -O /home/tun-adm/bin/mktunuser "http://wiki.fischglas.de/wiki/doku.php?do=export_code&id=project:remote-ssh-tunnel&codeblock=5"
 +chmod 755 /home/tun-adm/bin/mktunuser
 +
 +
  
 </code> </code>
Line 102: Line 138:
  $user = "tun-".$user;  $user = "tun-".$user;
  
- @Cmd = ("/usr/bin/sudo","/usr/sbin/adduser","--conf",$addusercfg,"--gecos","tunnel-user","--firstuid","10000",$user);+ @Cmd = ("/usr/bin/sudo","/usr/sbin/adduser","--conf",$addusercfg,"--gecos","tunnel-user","--disabled-password","--firstuid","10000",$user);
  print join " ","#",@Cmd,"\n";  print join " ","#",@Cmd,"\n";
  system @Cmd;  system @Cmd;
Line 166: Line 202:
  print qq|echo "#!/bin/sh" > remote-ssh-tunnel\n|;  print qq|echo "#!/bin/sh" > remote-ssh-tunnel\n|;
  print qq|echo "while true; do" >> remote-ssh-tunnel\n|;  print qq|echo "while true; do" >> remote-ssh-tunnel\n|;
- print qq|echo "ssh -i ~/.ssh/id_rsa_remote_tun -4 -l $user 2.r9d.de -R $id:127.0.0.1:22 " >> remote-ssh-tunnel\n|;+ print qq|echo "ssh -i ~/.ssh/id_rsa_remote_tun -4 -l $user {my.tunhub} -R $id:127.0.0.1:22 " >> remote-ssh-tunnel\n|;
  print qq|echo "done" >> remote-ssh-tunnel\n|;  print qq|echo "done" >> remote-ssh-tunnel\n|;
  print "chmod 755 remote-ssh-tunnel\n";  print "chmod 755 remote-ssh-tunnel\n";
Line 197: Line 233:
  Cipher blowfish\n".  Cipher blowfish\n".
  Compression yes\n";  Compression yes\n";
 + @Cmd = ("touch","/root/.ssh/config" );
 + print join " ","#",@Cmd,"\n"; 
 + system @Cmd;
  @Cmd = ($vo,"-o","/root/.ssh/config" );  @Cmd = ($vo,"-o","/root/.ssh/config" );
  print join " ","#",@Cmd,"\n";   print join " ","#",@Cmd,"\n"; 
Line 216: Line 255:
  
 </file> </file>
 +
 +=== the web server part ===
 +
 +  * copy /home/tun-adm/.ssh/id_rsa_remote_tun to some web server
 +  * copy /home/tun-adm/.ssh/id_rsa_remote_tun.pub to some web server
 +  * copy the file "cmd" (see below) to some web server
 +  * make "cmd" a cgi program  (i.e. configure your web server accordingly)
 +  * make "cmd" accessible as my.domain/tunnel (i.e. configure your web server accordingly)
 +  * adjust URLs and hostname inside "cmd"
 +
 +<file txt cmd>
 +#!/usr/bin/perl -T
 +
 +use strict;
 +
 +my $url    = "http://{my.websrv}/tunnel";
 +my $urlkey = "http://{my.websrv}/tun/id_rsa_tun";
 +my $tunhub = "{my.tunhub}";
 +
 +# der Username darf 32 Zeichen lang werden
 +# da noch ein Prefix hinzukommt, sind hier 25 Zeichen erlaubt
 +
 +my ( $user ) = $ENV{QUERY_STRING} =~ /^([-a-z0-9.]{1,25})$/;
 +
 +if ( ! $user ) {
 +print << "EOF";
 +Content-type: text/plain
 +
 +echo "FEHLER!"
 +echo ""
 +echo "Der korrekte Aufruf lautet:"
 +echo " wget -O - $url?KENNUNG | sh "
 +echo ""
 +echo "Dabei muss KENNUNG aus 1 bis 25 Zeichen bestehen."
 +echo ""
 +echo "Zulaessig sind Kleinbuchstaben, Ziffern sowie die Zeichen '.' und '-'."
 +echo ""
 +EOF
 +
 +exit 1;
 +}
 +
 +print << "EOF";
 +Content-type: text/plain
 +
 +wget $urlkey     -O ~/.ssh/id_rsa_tun
 +wget $urlkey.pub -O ~/.ssh/id_rsa_tun.pub
 +chmod 600 ~/.ssh/id_rsa_tun
 +cd ~/.ssh
 +echo $user | ssh -t -i id_rsa_tun -o AddressFamily=inet  tun-adm\@$tunhub | sed '1,/^XXX---XXX/s/^/# /' | sh -v
 +mv ./remote-ssh-tunnel ~/remote-ssh-tunnel
 +echo "Der Tunnel wurde eingerichtet."
 +echo "Zum Start des Tunnels bitte '~/remote-ssh-tunnel' eingeben"
 +
 +EOF
 +</file>
 +
 +Example:
 +<code>
 +# /var/www/my.doma.in/htdocs would be the document root
 +DOCROOT=/var/www/my.doma.in/htdocs
 +mkdir $DOCROOT/tun
 +cp /home/tun-adm/.ssh/id_rsa_tun /home/tun-adm/.ssh/id_rsa_tun.pub $DOCROOT/tun/
 +chmod 444 $DOCROOT/tun/*
 +
 +wget -O $DOCROOT/tun/cmd "http://wiki.fischglas.de/wiki/doku.php?do=export_code&id=project:remote-ssh-tunnel&codeblock=5"
 +chmod 755 $DOCROOT/tun/cmd
 +
 +vi /etc/apache2/sites-available/my.doma.in.conf 
 + ScriptAlias /tunnel $DOCROOT/tun/cmd
 +
 +service apache2 reload
 +
 +</code>
 +
 +=== testing components ===
 +
 +== tests without side effects ==
 +run 
 +<code> 
 +$DOCROOT/tun/cmd
 +</code> 
 +should yield:
 +<code>
 +Content-type: text/plain
 +
 +echo "FEHLER!"
 +echo ""
 +echo "Der korrekte Aufruf lautet:"
 +echo "  wget -O - http://{my.doma.in}/tunnel?KENNUNG | sh "
 +echo ""
 +echo "Dabei muss KENNUNG aus 1 bis 25 Zeichen bestehen."
 +echo ""
 +echo "Zulaessig sind Kleinbuchstaben, Ziffern sowie die Zeichen '.' und '-'."
 +echo ""
 +</code>
 +
 +run
 +<code>
 +curl my.doma.in/tunnel
 +</code>
 +should yield:
 +<code>
 +wget http://{my.doma.in}/tun/id_rsa_tun     -O ~/.ssh/id_rsa_tun
 +wget http://{my.doma.in}/tun/id_rsa_tun.pub -O ~/.ssh/id_rsa_tun.pub
 +chmod 600 ~/.ssh/id_rsa_tun
 +cd ~/.ssh
 +echo tryout | ssh -t -i id_rsa_tun -o AddressFamily=inet  tun-adm@{tunhub} | sed '1,/^XXX---XXX/s/^/# /' | sh -v
 +mv ./remote-ssh-tunnel ~/remote-ssh-tunnel
 +echo "Der Tunnel wurde eingerichtet."
 +echo "Zum Start des Tunnels bitte '~/remote-ssh-tunnel' eingeben"
 +</code>
 +
 +run
 +<code>
 +curl http://{my.doma.in}/tun/id_rsa_tun
 +</code>
 +should yield:
 +<code>
 +----BEGIN RSA PRIVATE KEY-----
 +MIIJKQI...
 +...
 +-----END RSA PRIVATE KEY-----
 +</code>
 +
 +run
 +<code>
 +curl http://{my.doma.in}/tun/id_rsa_tun.pub
 +</code>
 +should yield:
 +<code>
 +ssh-rsa AAAA....== tun-adm@...
 +</code>
 +
 +== tests creating real accounts ==
 +
 +<code>
 +wget -O - http://{my.doma.in}/tunnel?tryout | sh
 +</code>
 +should yield:
 +<code>
 +...
 +Saving to: `{my.home}/.ssh/id_rsa_tun'
 +...
 +Saving to: `{my.home}/.ssh/id_rsa_tun.pub'
 +...
 +Pseudo-terminal will not be allocated because stdin is not a terminal.
 +Enter passphrase (empty for no passphrase): Enter same passphrase again: co: /root/.ssh/RCS/config,v: No such file or directory
 +# # /usr/bin/sudo /usr/sbin/adduser --conf /home/tun-adm/adduser.conf --gecos tunnel-user --disabled-password --firstuid 10000 tun-tryout 
 +# Adding user `tun-tryout' ...
 +# Adding new group `tun-tryout' (10001) ...
 +# Adding new user `tun-tryout' (10001) with group `tun-tryout' ...
 +# Creating home directory `/home/tun-tryout' ...
 +# Copying files from `/etc/skel' ...
 +# # /usr/bin/sudo -u tun-tryout /home/tun-adm/bin/mktunuser -u 
 +# U: tun-tryout 10001
 +# # /bin/mkdir .ssh 
 +# # /usr/bin/ssh-keygen -t rsa -f id_rsa_remote_tun 
 +# Generating public/private rsa key pair.
 +# Your identification has been saved in id_rsa_remote_tun.
 +# Your public key has been saved in id_rsa_remote_tun.pub.
 +# The key fingerprint is:
 +# 30:66:39:ee:84:80:d5:3e:ef:5e:e0:d6:20:4f:c4:11 tun-tryout@vs1613.ams2.alvotech.de
 +# The key's randomart image is:
 +...
 +# # /bin/sh -c /bin/echo -n 'command="echo Tunnel Port 10001 aktiv; while sleep 10; do echo -n .; done" ' >> authorized_keys 
 +# # /bin/sh -c /bin/cat id_rsa_remote_tun.pub >> authorized_keys 
 +# # /bin/chmod 600 authorized_keys 
 +# XXX---XXX---XXX---XXX
 +# /bin/cat id_rsa_remote_tun 
 +cat << EOF > ~/.ssh/id_rsa_remote_tun
 +-----BEGIN RSA PRIVATE KEY-----
 +MIIEpAIBAAKCAQEAtjrV4Us2Nwdz/4tBAV7+OjzqYcmU0hPozRS2R0mIr183pYxc
 +...
 +-----END RSA PRIVATE KEY-----
 +EOF
 +chmod 600 ~/.ssh/id_rsa_remote_tun
 +# /bin/cat id_rsa_remote_tun.pub 
 +cat << EOF > ~/.ssh/id_rsa_remote_tun.pub
 +ssh-rsa AAAAB... tun-tryout@...
 +EOF
 +echo "#!/bin/sh" > remote-ssh-tunnel
 +echo "while true; do" >> remote-ssh-tunnel
 +echo "ssh -i ~/.ssh/id_rsa_remote_tun -4 -l tun-tryout {my.tunhub} -R 10001:127.0.0.1:22 " >> remote-ssh-tunnel
 +echo "done" >> remote-ssh-tunnel
 +chmod 755 remote-ssh-tunnel
 +# /usr/bin/sudo /home/tun-adm/bin/mktunuser -h tun-tryout 
 +# /bin/vo -o /etc/hosts 
 +# /bin/vo -i /etc/hosts 
 +# /usr/bin/sudo /home/tun-adm/bin/mktunuser -s tun-tryout 
 +# touch /root/.ssh/config 
 +# /bin/vo -o /root/.ssh/config 
 +# /bin/vo -i /root/.ssh/config 
 +Der Tunnel wurde eingerichtet.
 +Zum Start des Tunnels bitte '~/remote-ssh-tunnel' eingeben
 +</code>
 +
 +run @client
 +<code>
 +ls -l ~/.ssh/id_rsa_tun ~/.ssh/id_rsa_tun.pub
 +</code>
 +should yield:
 +<code>
 +-rw------- 1 {my.login} {my.group} 3243 Feb 12 20:05 {my.home}/.ssh/id_rsa_tun
 +-rw-r--r-- 1 {my.login} {my.group}  757 Feb 12 20:05 {my.home}/.ssh/id_rsa_tun.pub
 +</code>
 +
 +run @tunhub
 +<code>
 +grep ^tun- /etc/passwd
 +</code>
 +should yield:
 +<code>
 +tun-adm:x:10000:10000:,,,:/home/tun-adm:/bin/bash
 +tun-tryout:x:10001:10001:tunnel-user,,,:/home/tun-tryout:/bin/bash
 +</code>
 +
 +run @tunhub
 +<code>
 +tail /etc/hosts
 +</code>
 +should yield:
 +<code>
 +...
 +# tunnel aliases
 +127.0.0.1       tun-tryout
 +# tunnel ends
 +</code>
 +
 +run @tunhub
 +<code>
 +tail /root/.ssh/config
 +</code>
 +should yield:
 +<code>
 +...
 +# tunnel aliases
 +Host tun-tryout
 +  Port 10001
 +  Cipher blowfish
 +  Compression yes
 +
 +# tunnel ends
 +</code>
 +
 +run @client
 +<code>
 +./remote-ssh-tunnel
 +</code>
 +should yield:
 +<code>
 +Tunnel Port 10001 aktiv
 +.
 +</code>
 +
 +run @tunhub
 +<code>
 +ssh 127.0.0.1 -p 10001
 +</code>
 +should yield:
 +<code>
 +root@127.0.0.1's password:
 +</code>
 +You may now provide the root passswort for the client system
 +If you can't log in think of the usual sshd config obstructions 
 +on the client concerning root login ("PermitRootLogin" config option).
 +You might consider another login using "-l".
 +
 +run @tunhub
 +<code>
 +ssh tun-tryout
 +</code>
 +should yield:
 +<code>
 +The authenticity of host '[tun-tryout]:10001 ([127.0.0.1]:10001)' can't be established.
 +RSA key fingerprint is 3e:46:b3:fa:54:15:8f:fa:f3:d7:c0:28:4d:bc:00:2d.
 +Are you sure you want to continue connecting (yes/no)? yes
 +Warning: Permanently added '[tun-tryout]:10001' (RSA) to the list of known hosts.
 +</code>
 +You may now provide the root passswort for the client system
 +If you can't log in think of the usual sshd config obstructions 
 +on the client concerning root login ("PermitRootLogin" config option).
 +You might consider another login using "-l".
 +
 +rollback:
 +<code>
 +userdel -r tun-tryout
 +</code>
 +
  
project/remote-ssh-tunnel.1455301681.txt.gz · Last modified: 2016/02/12 19:28 by 91.89.129.106