[rescue] how to transparently forward SSH to an internalbox
Greg A. Woods
rescue at sunhelp.org
Sun Jan 6 13:15:06 CST 2002
[ On Sunday, January 6, 2002 at 13:16:44 (-0500), George Adkins wrote: ]
> Subject: Re: [rescue] how to transparently forward SSH to an internalbox
>
> Yes, that's exactly what I've been saying for three days.
> what I'm trying to work out is what the best method for that client to
> request that port information from the proxy host...
No, you have been saying that you don't want any non-standard ports (or
additional IP#s). You cannot have eaten your cake and still have it too.
If all you're trying to do is hide the necessary non-standard port
numbers and their usage from your end users, then you must say so
explicitly.
Since you did not define your client environment I've been wary of going
even so far as I have in proposing a wrapper script for the SSH client
program, especially since such a scheme is much more difficult, in
many/most GUI-only clients.
> because we _don't_ have to make custom clients. we can have a generic client
> script which will allow _anyone_ running it to be able to ssh through to a
> private address machine transparently, without any further preparation than
> dropping a script into their home directory and having an account on the
> target machine.
I already posted the important guts of a script which uses the DNS to
retrieve the magic port mapping. You could easily adjust it to work for
any server domain by always looking for a "valid" port number in a DNS
TXT RR. Note that you do not need any public A RRs for the internal
hosts so long as your gateway naming scheme is consistent, but of course
it wouldn't hurt to have the A RRs as well, in which case you could have
an arbitrary number of gateways for any given private network.
--
Greg A. Woods
+1 416 218-0098; <gwoods at acm.org>; <g.a.woods at ieee.org>; <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>
More information about the rescue
mailing list