Re: port forwarding without using ssh
On Wed, Nov 11, 2009 at 10:36:20AM +0800, Zhang Weiwu wrote:
> The problem of this solution is security. I do not want to grant shell
> access of local_server to remote_server. What would you recommend me
> to do in this case? I could try to limit access of the account used by
> remote server ssh -R, but should I?
You don't have to grant the remote server shell access if you don't want
to. You can use the port-forward feature of ssh to just create ports
without a shell with the -fN flag.
Also, the -R and -L flags look the same, but define which end the
traffic originates from. So, it's hard to say if you're using -R
correctly, or if you should be using -L instead.
This is untested, but should work to tunnel SMTP from localserver to
remoteserver when the connection is opened from the remoteserver side:
remoteserver$ ssh -fN -R25:localhost:25 localserver
to make it work securely, though, you need to do a few more things.
1. Add the "no-pty" option to your authorized_keys file so that no
shell is allowed for that key.
2. See whether you can limit the forwarded ports with "permitopen"
in authorized_keys. This may or may not work with -R; the man
page says it's for -L only.
3. Consider creating a non-root user for ports that don't require
binding to privileged ports. For example, you could tunnel git on
port 9418 as some other user rather than root.
If you want a real SSH-based VPN, and are willing to pay the encryption
overhead, you can investigate SSH + TUN forwardings. See these articles
as a starting point:
http://www.debian-administration.org/articles/539
https://help.ubuntu.com/community/SSH_VPN
http://www.gentoo-wiki.info/HOWTO_VPN_over_SSH_and_tun
Hope that helps.
--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"
Reply to: