SSH tunneling tip

Federico Voges fvoges
Mon May 17 11:43:19 PDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I got this tip from the Linux Journal Weekly Newsletter (Janua
22)

- ------------------------------------------------------------------------

  Tech Tip

   If you'd like to do SSH port forwarding with a passphrase, but
require
   a passphrase to run commands, make a separate key for port
forwarding
   only.

   Dramatis personae

   dmarti: example user name
   bilbo: your desktop system
   frodo: host running sshd
   linuxjournal.com: some web site

   Port forwarding also is called tunneling, so I'll call the key
   "tunnel". cd to your .ssh directory and create the key:

dmarti at bilbo:~/.ssh$ ssh-keygen -t dsa -f tunnel
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in tunnel.
Your public key has been saved in tunnel.pub.
The key fingerprint is:
77:b4:02:d9:32:c2:cc:18:58:c3:23:0a:13:46:a7:fa dmarti at capsicum

   Now edit tunnel.pub and add the following options to the beginning
of
   the line:

command="/bin/false",no-X11-forwarding,no-agent-forwarding,no-pty

   That means this key is no longer any good for anything but port
   forwarding, because the only command it will run is /bin/false, and
it
   won't forward X or agent commands.

   sshd understands the options only when reading the key from
   authorized_keys, but if you put the options into the original .pub
   file, they'll stay with the key wherever it goes.

   Now copy tunnel.pub to the end of your .ssh/authorized_keys at all
the
   hosts to which you want to tunnel, and try it:

dmarti at bilbo:~$ ssh -i ~/.ssh/tunnel frodo
Connection to zork.net closed.

   No errors, nothing runs; that's what you want. If you get errors,
you
   may have mangled the authorized_keys file on the server end; if you
   get a shell you need to check and fix the options.

   Another possibility is that if you're running with ssh-agent and
have
   the SSH_AUTH_SOCK environment variable set, you could be using a key
   provided by ssh-agent instead of the one on the command line. Put
env
   -u in front of the command line to be sure not to use the agent.

   Tunnel time! Let's use the long-suffering linuxjournal.com web
server
   as a guinea pig and make a tunnel:

dmarti at bilbo:~$ ssh -i ~/.ssh/tunnel -N -L 8000:linuxjournal.com:80 \
frodo

   To review that command line:

     * -i ~/.ssh/tunnel to use our tunnel-only ssh key
     * -N to not run a command (this is necessary, otherwise SSH will
run
       only /bin/false and exit)
     * -L 8000:linuxjournal.com:80 to forward local port 8000 to port
80
       on linuxjournal.com.
     * And finally, the hostname to which we're making the
connection--it
       doesn't have to be the same as the host to which we're
tunneling.
- ------------------------------------------------------------------------


Enjoy!

Federico Voges
Socio gerente

Intrasoft
Malabia 2137 14 A
(1425) Buenos Aires
Argentina

Te/Fax: 54-11-4833-5182
e-mail: fvoges at intrasoft.com.ar
Web: http://www.intrasoft.com.ar

PGP Public Key Fingerprint: A536 4595 EB6F D197  FBC1 5C3A 145C 2516

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQA/AwUBPi7PohRcJRaVKt4XEQK+kACeOQHPP+OIys0BiTLqpt+1Ad0WEjsAoKzr
l1ukYrH3BtcCPtpzCd1hV7wZ
=nBB/
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list