Readme and configs edits

This commit is contained in:
murdrum 2020-08-01 00:51:40 +02:00
parent b2a5e62421
commit 99980260c9
5 changed files with 28 additions and 28 deletions

View File

@ -1,4 +1,5 @@
# secure-reverse-ssh-tunnel
This project provides ready-to-use tools to configure a remote host via an ssh tunnel and a jump host.
@ -8,14 +9,14 @@ This project provides ready-to-use tools to configure a remote host via an ssh t
### Premise:
- HTE) Host you wish to expose. Currently network restricted (behind a FW or a NAT)
- EUD) End user device such as a laptop or mobile device provided with an ssh client.
- JH) A host publicly accessible over the internet (or a network accessible to voth HTE and EUD) running Openssh server.
- JH) A host publicly accessible over the internet (or a network accessible to both HTE and EUD) running Openssh server.
### Scenario:
- EUD wants to access a service running on HTE, but HTE can be accessed only from within its own network.
- EUD can generate outgoing traffic to the internet or external networks.
- HTE can't accept incoming connections from the internet or other networks.
- HTE can generate outoing traffic to the internet or external networks.
- HTE can generate outgoing traffic to the internet or external networks.
- JH is accessible to both HTE and EUD and runs an Openssh server.
Normally, to allow communication between EUD and HTE, you would need to setup a portforward for HTE on its network's edge router. Then have EUD connect to the edge router's Public IP at the forwarded port.
@ -23,8 +24,8 @@ Normally, to allow communication between EUD and HTE, you would need to setup a
This might not be feasible or out of HTE's control, thus an ssh reverse tunnel can be used.
By using a jump server we can establish a tunnel from HTE to JH and respectively a communication from EUD to JH securely, using SSH and our private keys.
At this point EUD can access HTE's service just like any other service running on JH.
The Reverse tunnel binds HTE's port to JH's network-interface:port (JumHost's localhost by default, see **GatewayPorts yes**)
Every request sent to JH binded port is going to be forarded to HTE's port.
The Reverse tunnel binds HTE's port to JH's network-interface:port (JumpHost's localhost by default, see **[GatewayPorts](https://gitlab.com/enkht04/secure-reverse-ssh-tunnel#note)**)
Meaning every request sent to JH's binded port is going to be forwarded HTE's port.
**In ssh cli terms:**
```bash
@ -34,7 +35,7 @@ Every request sent to JH binded port is going to be forarded to HTE's port.
---
## Support us
Whether you use this project, have learned something from it, or just like it, please consider supporting it by donate, so we can dedicate more time on open-source projects like this :)
Whether you use this project, have learned something from it, or simply like it, please consider supporting it by donation, so we can spend more time on open-source projects like this :)
<a href="https://it.liberapay.com/Unitoo/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a>
@ -43,7 +44,7 @@ Whether you use this project, have learned something from it, or just like it, p
## Components
- setup-remote-host.sh: This script must be run as root after setup step
- authorized_keys: should contains the ssh pubkey for HTE
- authorized_keys: should contains the ssh pubkey for JH
- config: example host configuration for "EUD" computer
- secure-tunnel@.service: SystemD ready to use example service
- targets/* : contains multiple targets that need to be used as jump servers
@ -87,7 +88,7 @@ To check if the tunnel is active and the dedicated port is up, ssh into your jum
netstat -tupln | grep 20001
```
You should see your port associated to autossh process :)
You should see autossh's process to your chosen port :)
### Remote port forwarding
@ -101,7 +102,7 @@ would result in a bind like this:
```bash
127.0.0.1:${JH_PORT} LISTEN pid/sshd
```
To expose forwarded ports over every jumphost's IP add the following to `/etc/ssh/sshd_config`
To expose forwarded ports over every jumphost's IP (0.0.0.0) add the following to `/etc/ssh/sshd_config`
```bash
GatewayPorts yes
@ -109,9 +110,9 @@ GatewayPorts yes
###### Note:
Every forwarded port will now be publicly exposed (unless FW rules are in place.)
A better aproach would be:
A better approach would be:
```bash
GatewayPorts userspecified
GatewayPorts clientspecified
```
The reverse tunnel above becomes;
```bash
@ -120,7 +121,7 @@ The reverse tunnel above becomes;
### Local port forward
You could use your Jump Host even to bind to a local port a web interface of a remote host or something else with:
You could use your Jump Host even to bind a local port to a web interface on a remote host or something else with:
```bash
ssh -N -L ${LOCALPORT}:127.0.0.1:${JH_PORT} ${USER}${TARGET}
```

4
config
View File

@ -3,9 +3,9 @@ Host jumpserver
User root
IdentityFile /home/<USER>/.ssh/<ID>
Host remotehost
Host HostToExpose
Hostname localhost
User <REMOTE_USER>
Port 20001
IdentityFile /home/<USER>/.ssh/<ID>
Proxycommand ssh -W %h:%p jumpserver
Proxycommand ssh -W %h:%p jumpserver

View File

@ -5,7 +5,7 @@ After=network.target
[Service]
Environment="AUTOSSH_GATETIME=0"
EnvironmentFile=/etc/default/secure-tunnel@%i
ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure" -NR ${JH_PORT}:localhost:22 ${USER}@${TARGET}
ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure" -NR ${JH_PORT}:localhost:"${HTE_PORT}" "${USER}"@"${TARGET}"
User=autossh
Restart=on-failure
RestartSec=5s

View File

@ -13,15 +13,15 @@ function check_if_running_as_root {
check_if_running_as_root
read -p "Did you run this script on the remote host? " -n 1 -r
read -p "Are you running this script on the host to expose? " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
echo "Please rerun this script on HTE as root user."
echo "Please re-run this script on HTE as root user."
[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
fi
read -p "Did you setup various targets and adjusted configurations as described in README?" -n 1 -r
read -p "Have you setup targets and adjusted configurations as described in README?" -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
@ -41,10 +41,10 @@ function check_necessary_packages {
apt-get --yes install autossh
elif [[ ! -z $YUM_CMD ]]; then
echo "OK: yum found."
yum install autossh
yum install -y autossh
elif [[ -z $DNF_CMD ]]; then
echo "OK: yum found."
dnf install autossh
echo "OK: dnf found."
dnf install -y autossh
else
echo "No valid package manager found. Exiting."
exit 1;
@ -72,7 +72,7 @@ function adjust_ssh_folder_for {
echo "NEXT: Setup ${1} home: ${homedir}."
mkdir -p "${homedir}/.ssh"
mkdir -p "${homedir}/.ssh" &&
touch -a "${homedir}/.ssh/authorized_keys"
if [ ! -s authorized_keys ]; then
@ -80,9 +80,8 @@ function adjust_ssh_folder_for {
fi
cat authorized_keys >> "${homedir}/.ssh/authorized_keys"
echo "OK: Files and content ready."
echo "NEXT: Setup file and folder permissions."
echo -e "OK: Files and content ready.\nNEXT: Setup file and folder permissions."
chown -R "$1":"$1" "${homedir}/.ssh"
chmod 700 "${homedir}/.ssh"
chmod 600 "${homedir}/.ssh/authorized_keys"
@ -97,12 +96,11 @@ function setup_systemd_service_if_available {
if [[ ! -z $SYSTEMCTL_CMD ]]; then
echo "NEXT: Copy targets into /etc/default."
cp -n targets/* /etc/default/
cp -n targets/* /etc/default/ &&
echo "OK: Targets copied."
echo "NEXT: Setup systemd service."
echo "OK: Targets copied. \nNEXT: Setup systemd service."
cp secure-tunnel@.service /etc/systemd/system/
cp secure-tunnel@.service /etc/systemd/system/ &&
systemctl daemon-reload
echo "OK: Systemd service created."

View File

@ -1,3 +1,4 @@
USER=autossh
TARGET=jumphost
JH_PORT=20001
HTE_PORT=22