project:remote-ssh-tunnel
This is an old revision of the document!
Table of Contents
remote ssh tunnel
client procedure
To establish a tunnel account, run this on the client (this would be the system you want to connect to).
wget -O - http://my.doma.in/tunnel?IDSTRING | /bin/bash
- IDSTRING has to consist of 1 to 25 characters.
- permitted are upper and lower case letters, figures, '.' and '-'
This will yield the script file /root/remote-ssh-tunnel.
You may start the tunnel:
/root/remote-ssh-tunnel
The client now will connect to your tunnel hub and initiate a remote port forwarding of the client's local SSH service port (usually port 22/tcp) to a high port of your tunnel hub on IP address 127.0.0.1.
adopting the client
If you plan for a persistent tunnel connection, you have to make some changes:
sed -i '
s:#!/bin/sh:#!/bin/bash:;
s/~\//\/root\//;
s/-l/-o ServerAliveInterval=15 -o TCPKeepAlive=yes -l/
/^done/i\sleep 10
' /root/remote-ssh-tunnel
sed -i '/^exit 0/inohup /root/remote-ssh-tunnel >/dev/null 2>&1 &' /etc/rc.local
If the client's SSH service port differs from the usual port 22/tcp, let's say SSH would run on 10022, you may use something like:
sed -i 's/:22/:10022/;' /root/remote-ssh-tunnel
server procedure
Things needed:
- a system account to create the new accounts by
- a range of UIDs to create the new accounts with e.g. 10000-11000
- a range of TCP ports to create the new accounts with e.g. 10000-11000
- we'll set UID = port nr. for a cleaner structure
- a dedicated /home/tun-adm/adduser.conf file
- a ssh key pair
addgroup --gid 10000 tun-adm adduser --uid 10000 --gid 10000 tun-adm sed ' /^FIRST_UID=/c\FIRST_UID=10000 /^LAST_UID=/c\LAST_UID=10999 /^FIRST_GID=/c\FIRST_GID=10000 /^LAST_GID=/c\LAST_GID=10999 ' /etc/adduser.conf > /home/tun-adm/adduser.conf su - tun-adm ssh-keygen -f /home/tun-adm/.ssh/id_rsa_tun -N '' -b 4096 ( echo -n 'command="/home/tun-adm/bin/mktunuser" ' cat /home/tun-adm/.ssh/id_rsa_tun.pub ) >> /home/tun-adm/.ssh/authorized_keys
- /home/tun-adm/bin/mktunuser
#!/usr/bin/perl -Tw # aufruf auf dem zielsystem: # hostname | ssh -t -i id_rsa_tun -o AddressFamily=inet tun-adm@my.doma.in | sed '1,/^XXX---XXX/s/^/# /' | sh -v use strict; use User::pwent; $ENV{PATH}=""; my @Cmd = (); my $cmd = "/home/tun-adm/bin/mktunuser"; my $vo = "/bin/vo"; # change this in sudoers, also my $addusercfg = "/home/tun-adm/adduser.conf"; if ( ! defined $ARGV[0] or $ARGV[0] eq "" ) { my $l = <STDIN>; chomp($l); my ( $user ) = $l =~ /^([-a-z0-9.]{1,25})$/; defined $user or die "username '$l' invalid"; $user = "tun-".$user; @Cmd = ("/usr/bin/sudo","/usr/sbin/adduser","--conf",$addusercfg,"--gecos","tunnel-user","--firstuid","10000",$user); print join " ","#",@Cmd,"\n"; system @Cmd; @Cmd = ( "/usr/bin/sudo","-u",$user,$cmd,"-u"); print join " ","#",@Cmd,"\n"; system @Cmd; @Cmd = ( "/usr/bin/sudo",$cmd,"-h",$user); print join " ","#",@Cmd,"\n"; system @Cmd; @Cmd = ( "/usr/bin/sudo",$cmd,"-s",$user); print join " ","#",@Cmd,"\n"; system @Cmd; } elsif ( $ARGV[0] eq "-u" ) { my $user = getpwuid($<)->[0]; my $id = $<; print "U: $user $id\n"; chdir("/home/".$user); # exit; @Cmd = ("/bin/mkdir",".ssh"); print join " ","#",@Cmd,"\n"; system @Cmd; chdir(".ssh"); @Cmd = ("/usr/bin/ssh-keygen","-t","rsa","-f","id_rsa_remote_tun"); print join " ","#",@Cmd,"\n"; system @Cmd; my $s = q#/bin/echo -n 'command="echo Tunnel Port XXXXX aktiv; while sleep 10; do echo -n .; done" ' >> authorized_keys#; $s =~ s/XXXXX/$id/; @Cmd = ("/bin/sh","-c",$s); print join " ","#",@Cmd,"\n"; system @Cmd; @Cmd = ("/bin/sh","-c",q#/bin/cat id_rsa_remote_tun.pub >> authorized_keys# ); print join " ","#",@Cmd,"\n"; system @Cmd; @Cmd = ("/bin/chmod","600","authorized_keys" ); print join " ","#",@Cmd,"\n"; system @Cmd; print "XXX---XXX---XXX---XXX\n"; @Cmd = ("/bin/cat","id_rsa_remote_tun"); print join " ","#",@Cmd,"\n"; print "cat << EOF > ~/.ssh/id_rsa_remote_tun\n"; system @Cmd; print "EOF\n"; print "chmod 600 ~/.ssh/id_rsa_remote_tun\n"; @Cmd = ("/bin/cat","id_rsa_remote_tun.pub"); print join " ","#",@Cmd,"\n"; print "cat << EOF > ~/.ssh/id_rsa_remote_tun.pub\n"; system @Cmd; print "EOF\n"; print qq|echo "#!/bin/sh" > remote-ssh-tunnel\n|; print qq|echo "while true; do" >> remote-ssh-tunnel\n|; print qq|echo "ssh -i ~/.ssh/id_rsa_remote_tun -4 -l $user 2.r9d.de -R $id:127.0.0.1:22 " >> remote-ssh-tunnel\n|; print qq|echo "done" >> remote-ssh-tunnel\n|; print "chmod 755 remote-ssh-tunnel\n"; } elsif ( $ARGV[0] eq "-h" ) { $ENV{PATH}="/bin:/usr/bin:/sbin:/usr/sbin"; my $user = $ARGV[1]; @Cmd = ($vo,"-o","/etc/hosts" ); print join " ","#",@Cmd,"\n"; system @Cmd; my $dollarslash = $/; $/ = undef; open H,"/etc/hosts" or die "can't open '/etc/hosts': $!"; my $h = <H>; close H; $/ = $dollarslash; $h =~ s/(# tunnel ends)/127.0.0.1\t$user\n$1/; open H,">","/etc/hosts" or die "can't open '/etc/hosts': $!"; print H $h; close H; @Cmd = ($vo,"-i","/etc/hosts" ); print join " ","#",@Cmd,"\n"; system @Cmd; } elsif ( $ARGV[0] eq "-s" ) { $ENV{PATH}="/bin:/usr/bin:/sbin:/usr/sbin"; my $user = $ARGV[1]; my $pw = getpwnam($user); my $port = $pw->uid; my $r = "Host $user\n". " Port $port\n". " Cipher blowfish\n". " Compression yes\n"; @Cmd = ($vo,"-o","/root/.ssh/config" ); print join " ","#",@Cmd,"\n"; system @Cmd; my $dollarslash = $/; $/ = undef; open H,"/root/.ssh/config" or die "can't open '/root/.ssh/config': $!"; my $h = <H>; close H; $/ = $dollarslash; $h =~ s/(# tunnel ends)/$r\n$1/; open H,">","/root/.ssh/config" or die "can't open '/root/.ssh/config': $!"; print H $h; close H; @Cmd = ($vo,"-i","/root/.ssh/config" ); print join " ","#",@Cmd,"\n"; system @Cmd; }
project/remote-ssh-tunnel.1455301681.txt.gz · Last modified: 2016/02/12 19:28 by 91.89.129.106