Hi Christoph,
you got a clear and well-working way to
do the job. And if you have not too dumb users,
this should work.
But you mentioned something about "WI?" ;-)
So if the User`s need a verry easy way to access
the Server, you could do some real magic ;-)
(Although is is something more Work to implement.)
I guess, outside is a System produced in Redmond.
So you need a graphical Interface.
Use WinScp.
Generate a Public-Private Key pair with Passphrase for
each User.
Put the Public-Key in the Home-Directory of the
Win-User.
This can be opend using pagent (Putty.)
Put the Private-Key on the Gateway-Server, and implement
a single command in this Key.
(e.g. ssh -l user inside-host /bin/scp ;-))
If wanted, create another public-private Pair to
authenticate the second connection on inside-Host.
So no more Password is needed after opening
the first Public-Key on outside with pagent.
Use WinScp like explorrer.
Outside hacked --> delete Key`s on gateway.
Most of the configuration can be distributed by mail
to the User on Outside.
Didn`t test exact this configuration, but it should work.
Greetings
Dirk
-----Original Message-----
From: Dr. Christoph Wegener [mailto:cwe@bph.ruhr-uni-bochum.de]
Sent: Thu 17.07.2003 10:46
To: suse-security@suse.com; Schreiner, Dirk
Cc:
Subject: Re: RE: [suse-security] SCP-proxy / SFTP-proxy wanted
Hi Dirk,
thanks for your suggestion - that is exactly what I was probing
yesterday evening. First I had some probs with the port
redirection of scp (sometimes it is -p, on another machine it
might be -P) but now it works. And it turns out that even most
graphical WI? clients are able to work with such a setup.
Well, I'll give you a short description of my net first:
outside -|- ssh-gateway -|- inside
| |
firewall firewall
Then I did the following:
On the outside-machine I started an ssh tunnel to our ssh-
gateway:
# ssh -L 1234:<machine>.inside.net:22
Hi,
SCP and SFTP use SSH. And there will be no PROXY for SSH due to the Protocol ;-)
But there are some WorkArounds like Port redirect. You should describe exactly what you want to do, so we can see if this is possible.
Describe the network also.
Greetings Dirk
-----Original Message----- From: Dr. Christoph Wegener [mailto:christoph.wegener@bph.ruhr-uni-bochum.de] Sent: Wed 16.07.2003 18:01 To: suse-security@suse.com Cc: Subject: [suse-security] SCP-proxy / SFTP-proxy wanted Hi list, does somebody know a solution for a transparent SCP-proxy or SFTP-proxy? In the moment we are running SuSE's ftp-prxy but I want to avoid cleartext password as soon as possible...
Thanks in advance Christoph
PS: Yes I did a google search but that was not very helpfull... -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Dr. Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:christoph.wegener@bph.rub.de http://www.bph.rub.de
"Snowflakes are one of nature's most fragile things, but just look what they can do when they stuck together." (Vesta Kelly)
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
TRIA IT-consulting GmbH Rosenkavalierplatz 4 81925 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
--------------------------------------------------------
working hard | for your success
--------------------------------------------------------
Registergericht München HRB 113466
USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600
Geschäftsführer: Hubertus Wagenhäuser
-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de
Nachricht an: christoph.wegener@bph.ruhr-uni-bochum.de, suse- security@suse.com
# Dateianhänge: 0
Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank
The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Dr. Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:christoph.wegener@bph.rub.de http://www.bph.rub.de "Snowflakes are one of nature's most fragile things, but just look what they can do when they stuck together." (Vesta Kelly)