Hi Christoph, you got a clear and well-working way to do the job. And if you have not too dumb users, this should work. But you mentioned something about "WI?" ;-) So if the User`s need a verry easy way to access the Server, you could do some real magic ;-) (Although is is something more Work to implement.) I guess, outside is a System produced in Redmond. So you need a graphical Interface. Use WinScp. Generate a Public-Private Key pair with Passphrase for each User. Put the Public-Key in the Home-Directory of the Win-User. This can be opend using pagent (Putty.) Put the Private-Key on the Gateway-Server, and implement a single command in this Key. (e.g. ssh -l user inside-host /bin/scp ;-)) If wanted, create another public-private Pair to authenticate the second connection on inside-Host. So no more Password is needed after opening the first Public-Key on outside with pagent. Use WinScp like explorrer. Outside hacked --> delete Key`s on gateway. Most of the configuration can be distributed by mail to the User on Outside. Didn`t test exact this configuration, but it should work. Greetings Dirk -----Original Message----- From: Dr. Christoph Wegener [mailto:cwe@bph.ruhr-uni-bochum.de] Sent: Thu 17.07.2003 10:46 To: suse-security@suse.com; Schreiner, Dirk Cc: Subject: Re: RE: [suse-security] SCP-proxy / SFTP-proxy wanted Hi Dirk, thanks for your suggestion - that is exactly what I was probing yesterday evening. First I had some probs with the port redirection of scp (sometimes it is -p, on another machine it might be -P) but now it works. And it turns out that even most graphical WI? clients are able to work with such a setup. Well, I'll give you a short description of my net first: outside -|- ssh-gateway -|- inside | | firewall firewall Then I did the following: On the outside-machine I started an ssh tunnel to our ssh- gateway: # ssh -L 1234:<machine>.inside.net:22 @ssh-gateway When the tunnel was up, I opened another session and did the following: # scp -P 1234 <source-file> @localhost: <destination-file> Works like a charm, but maybe there is an easier solution? Thanks in advance Christoph 16.7.2003 19:37:32,"Schreiner, Dirk" wrote:

Hi,

SCP and SFTP use SSH. And there will be no PROXY for SSH due to the Protocol ;-)

But there are some WorkArounds like Port redirect. You should describe exactly what you want to do, so we can see if this is possible.

Describe the network also.

Greetings Dirk

-----Original Message----- From: Dr. Christoph Wegener [mailto:christoph.wegener@bph.ruhr-uni-bochum.de] Sent: Wed 16.07.2003 18:01 To: suse-security@suse.com Cc: Subject: [suse-security] SCP-proxy / SFTP-proxy wanted Hi list, does somebody know a solution for a transparent SCP-proxy or SFTP-proxy? In the moment we are running SuSE's ftp-prxy but I want to avoid cleartext password as soon as possible...

Thanks in advance Christoph

PS: Yes I did a google search but that was not very helpfull... -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Dr. Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY

Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:christoph.wegener@bph.rub.de http://www.bph.rub.de

"Snowflakes are one of nature's most fragile things, but just look what they can do when they stuck together." (Vesta Kelly)

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

TRIA IT-consulting GmbH Rosenkavalierplatz 4 81925 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de

--------------------------------------------------------

working hard | for your success

--------------------------------------------------------

Registergericht München HRB 113466

USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600

Geschäftsführer: Hubertus Wagenhäuser

-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de

Nachricht an: christoph.wegener@bph.ruhr-uni-bochum.de, suse- security@suse.com

# Dateianhänge: 0

Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank

The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Dr. Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:christoph.wegener@bph.rub.de http://www.bph.rub.de "Snowflakes are one of nature's most fragile things, but just look what they can do when they stuck together." (Vesta Kelly)