[rescue] how to use a NAT/PAT to forward SSH to an internal box

Greg A. Woods rescue at sunhelp.org
Sun Jan 6 11:46:54 CST 2002 

[ On Sunday, January 6, 2002 at 03:00:14 (-0500), Patrick Giagnocavo wrote: ]
> Subject: Re: [rescue] how to use a NAT/PAT to forward SSH to an internal   box
>
> Why put that data in the client script?  Multiple clients=multiple
> places to update the script.

Because it's easiest.  Nobody's said anything about the requirements for
the client environment yet, or how many there are.  For all I know we
could be talking about one lone client.

> > If you want things more dynamic then the easiest thing to do would be to
> > use the DNS to look up the port number in something like a TXT record:
> 
> Heck no, I wouldn't do that!  This gives everyone the ability to go
> after and try to hack your boxes.  Security through obscurity is bad
> but why advertise you have other systems on rfc1918 space?

Because pretending that you can hide information that's available in
public namespace is stupid.  Security through obscurity is bad because
it leads to a very false sense of security.  It doesn't matter how you
"advertise" your port-to-host mapping, an attacker will be able to
discover it -- all that changes is the initial target.

> Try this:
> 
> set up a single Apache httpd process (set MaxServers to 1 and so
> forth) with SSL enabled on the gateway and 
> 
> 1.  create and self-sign your own SSL certificate

Are you talking about a personal browser certificate?  Unless you make
the browser use its own secret certificate you're really not protecting
anything very well.

> 2.  using Lynx (read the man page), log in to the http server and download
> the shell script you mention.

Lynx cannot easily be configured to use a personal SSL certificate, and
it's not easy to configure any web server I know of to refuse requests
unless the client's certificate is known (yes, you can theoretically do
this with apache, but I've yet to prove it in practice).

>  You could run this as part of your
> .login if you chose, so that on every login the latest version of the
> mappings was automatically installed.  Lynx can be scripted.
> 
> 3.  So now your mapping is encrypted and only available via SSL - if you
> include a Basic-Authentication requirement you can prevent those who
> don't know the username and password from getting the list from the
> server, even if they accept your SSL cert.

Yeah, but then you have to have "-auth=ID:PASSWD" in your script and you
have to be sure your personal account is as secure as the root account
on your client machine.

> You could also just create different user accounts on the gateway box,
> and set up each account to automatically log in to a different box
> using SSH's keygen mechanism.  

Which is what I suggested in the first place.....

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list