SSH Tunneling
In my last post about Runner I briefly explained needing to modify your ~/.ssh/config to use a ProxyCommand to allow for automatic tunneling with SSH.
Host tlbastion User tuxninja ForwardAgent yes HostName tlbastion.tuxlabs.com DynamicForward 8081 Host *.tuxlabs.com User tuxninja ProxyCommand /usr/local/bin/sconnect -4 -w 4 -S localhost:8081 %h %p
What I didn’t explain is there is an alternative method that is arguably simpler. It requires creating three small shells scripts & placing them in your path or a common host path like /usr/local/bin/ with the chmod +x permission. Here is the script that sets up the ssh tunnel.
Script: starttunnel
$ cat /usr/local/bin/starttunnel ssh -o ServerAliveInterval=300 -CfgNTL -D 8081 tlbastion.tuxlabs.com $
Running starttunnel, will connect you to your bastion/jump box and then background this connection with keep alives on. It will listen / dynamically forward ssh requests to 8081 through or to tlbastion.tuxlabs.com. Additionally, if you wanted to tunnel a web port specifically on a machine that sits within your network back to the machine you are tunneling from, you can add it to the script. Such that the required host/port always gets tunneled and is available on your machine when you run starttunnel. Example config would look like.
Script: starttunnel + forwarding http
$ cat /usr/local/bin/starttunnel ssh -o ServerAliveInterval=300 -CfgNTL 8080:tuxlabs1.tuxlabs.com:80 -D 8081 tlbastion.tuxlabs.com $
Now that you have authenticated to your bastion and have a working tunnel you need to get ssh requests to go through this tunnel. However, if your like me you still want the ability to ssh to other stuff without going through that tunnel. So I created a new script called ‘sshp’. When I want to ssh through the tunnel / proxy I use ‘sshp’, when I want to ssh to somewhere else on the internet or another network I use plain old ‘ssh’. Here is my sshp script used to connect to machines behind the bastion.
Script: sshp
$ cat /usr/local/bin/sshp #!/bin/sh ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o CheckHostIP=no -o ServerAliveInterval=300 -o "ProxyCommand /bin/nc -X 5 -x localhost:8081 %h %p" $1 $
Now, when you run sshp tuxlabs1@tuxlabs.com you will be connection through the tuxlabs bastion into tuxlabs1. Also notice in my previous post I used sconnect as the proxy command in this one we are using ‘nc’ aka netcat. I have found this method of tunneling to be the most simplistic and effective in my daily life. One more script you need is if you want to copy files you need to use scp. So you have to make a similar command ‘scpp’ for tunneling your copying of files. Here’s the script.
Script: scpp
$ cat /usr/local/bin/scpp #!/bin/sh scp -pr -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o CheckHostIP=no -o "ProxyCommand /bin/nc -x localhost:8081 %h %p" $1 $2 $
One final note…if you need use ‘*’ aka splat for copying many files you cannot use the script above, because the shell or script converts that incorrectly. Instead just use the full command yourself from the command line.
scp’ing with *
$ scp -pr -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o CheckHostIP=no -o "ProxyCommand /bin/nc -x localhost:8081 %h %p" copy.all.* tuxninja@tlbastion.tuxlabs.com:
This would copy all files named ‘copy.all.<whatever>’ to the bastion. Hope this hopes the folks out there feeling limited by bastions. They provide great security and are an absolute requirement in secure environments so learning tricks that make sure you only need to authenticate once for an extended period of time can come in real handy.
Enjoy,
Jason Riedel