RE: RE: [suse-security] SCP-proxy / SFTP-proxy wanted
Hi Christoph,
you got a clear and well-working way to
do the job. And if you have not too dumb users,
this should work.
But you mentioned something about "WI?" ;-)
So if the User`s need a verry easy way to access
the Server, you could do some real magic ;-)
(Although is is something more Work to implement.)
I guess, outside is a System produced in Redmond.
So you need a graphical Interface.
Use WinScp.
Generate a Public-Private Key pair with Passphrase for
each User.
Put the Public-Key in the Home-Directory of the
Win-User.
This can be opend using pagent (Putty.)
Put the Private-Key on the Gateway-Server, and implement
a single command in this Key.
(e.g. ssh -l user inside-host /bin/scp ;-))
If wanted, create another public-private Pair to
authenticate the second connection on inside-Host.
So no more Password is needed after opening
the first Public-Key on outside with pagent.
Use WinScp like explorrer.
Outside hacked --> delete Key`s on gateway.
Most of the configuration can be distributed by mail
to the User on Outside.
Didn`t test exact this configuration, but it should work.
Greetings
Dirk
-----Original Message-----
From: Dr. Christoph Wegener [mailto:cwe@bph.ruhr-uni-bochum.de]
Sent: Thu 17.07.2003 10:46
To: suse-security@suse.com; Schreiner, Dirk
Cc:
Subject: Re: RE: [suse-security] SCP-proxy / SFTP-proxy wanted
Hi Dirk,
thanks for your suggestion - that is exactly what I was probing
yesterday evening. First I had some probs with the port
redirection of scp (sometimes it is -p, on another machine it
might be -P) but now it works. And it turns out that even most
graphical WI? clients are able to work with such a setup.
Well, I'll give you a short description of my net first:
outside -|- ssh-gateway -|- inside
| |
firewall firewall
Then I did the following:
On the outside-machine I started an ssh tunnel to our ssh-
gateway:
# ssh -L 1234:<machine>.inside.net:22
Hi,
SCP and SFTP use SSH. And there will be no PROXY for SSH due to the Protocol ;-)
But there are some WorkArounds like Port redirect. You should describe exactly what you want to do, so we can see if this is possible.
Describe the network also.
Greetings Dirk
-----Original Message----- From: Dr. Christoph Wegener [mailto:christoph.wegener@bph.ruhr-uni-bochum.de] Sent: Wed 16.07.2003 18:01 To: suse-security@suse.com Cc: Subject: [suse-security] SCP-proxy / SFTP-proxy wanted Hi list, does somebody know a solution for a transparent SCP-proxy or SFTP-proxy? In the moment we are running SuSE's ftp-prxy but I want to avoid cleartext password as soon as possible...
Thanks in advance Christoph
PS: Yes I did a google search but that was not very helpfull... -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Dr. Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:christoph.wegener@bph.rub.de http://www.bph.rub.de
"Snowflakes are one of nature's most fragile things, but just look what they can do when they stuck together." (Vesta Kelly)
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
TRIA IT-consulting GmbH Rosenkavalierplatz 4 81925 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
--------------------------------------------------------
working hard | for your success
--------------------------------------------------------
Registergericht München HRB 113466
USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600
Geschäftsführer: Hubertus Wagenhäuser
-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de
Nachricht an: christoph.wegener@bph.ruhr-uni-bochum.de, suse- security@suse.com
# Dateianhänge: 0
Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank
The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Dr. Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:christoph.wegener@bph.rub.de http://www.bph.rub.de "Snowflakes are one of nature's most fragile things, but just look what they can do when they stuck together." (Vesta Kelly)
On Jul 18, Schreiner, Dirk
So you need a graphical Interface. Use WinScp. Or even better: FileZilla from http://filezilla.sf.net/
Markus PS: Dirk, next time please remove the fullquotes. Thanks. -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Hi Dirk,
well now were are only using a key pair for authentication of
the login to the gateway. But your suggestion sounds very
interesting. To be honest: how can I implement a command to the
private key?
Have a nice weekend...
Christoph
18.7.2003 16:33:48, "Schreiner, Dirk"
Generate a Public-Private Key pair with Passphrase for each User.
Put the Public-Key in the Home-Directory of the Win-User. This can be opend using pagent (Putty.)
Put the Private-Key on the Gateway-Server, and implement a single command in this Key. (e.g. ssh -l user inside-host /bin/scp ;-))
If wanted, create another public-private Pair to authenticate the second connection on inside-Host. So no more Password is needed after opening the first Public-Key on outside with pagent. -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Dr. Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:christoph.wegener@bph.rub.de http://www.bph.rub.de "Snowflakes are one of nature's most fragile things, but just look what they can do when they stuck together." (Vesta Kelly)
On Friday 18 July 2003 17:18, Dr. Christoph Wegener wrote:
Hi Dirk, well now were are only using a key pair for authentication of the login to the gateway. But your suggestion sounds very interesting. To be honest: how can I implement a command to the private key?
Have a nice weekend... Christoph
http://www.hackinglinuxexposed.com/articles/20030115.html might be helpful. Sigfred
Hi *, UPS. (But seems nobody did see ;-)) Please change Public and Private Key in the Description. Of course WinScp is the Client and therefore holds the Private-Key. So the Public-Key is stored on the Gateway. As usual this is done in known_hosts. To force a single Command in in the Key just add the command as shown in front of the Key in the same Line in known_hosts. command="ssh -l user Server.com" ...key.. Greetings Dirk Dr. Christoph Wegener schrieb:
Hi Dirk, well now were are only using a key pair for authentication of the login to the gateway. But your suggestion sounds very interesting. To be honest: how can I implement a command to the private key?
Have a nice weekend... Christoph
18.7.2003 16:33:48, "Schreiner, Dirk"
wrote: Generate a Public-Private Key pair with Passphrase for each User.
Put the Public-Key in the Home-Directory of the Win-User. This can be opend using pagent (Putty.)
Put the Private-Key on the Gateway-Server, and implement a single command in this Key. (e.g. ssh -l user inside-host /bin/scp ;-))
On Sun, Jul 20, 2003 at 12:49:12AM +0200, Dirk Schreiner wrote:
As usual this is done in known_hosts. To force a single Command in in the Key just add the command as shown in front of the Key in the same Line in known_hosts.
s/known_hosts/authorized_keys/
command="ssh -l user Server.com" ...key..
and on server.com also allow only one command. This can be tricky, if you have varying options but i solved this by using a perl wrapper for rsyncing my servers onto the backup machine.
Dr. Christoph Wegener schrieb:
btw, *please* http://learn.to/quote -- Stefan Seyfried Senior Consultant community4you GmbH, Chemnitz, Germany. http://www.community4you.de http://www.open-eis.com
* Stefan Seyfried wrote on Sun, Jul 20, 2003 at 17:55 +0200:
and on server.com also allow only one command. This can be tricky, if you have varying options but i solved this by using a perl wrapper for rsyncing my servers onto the backup machine.
You do "client push" of files for backup (instead server poll), yes? How do you do that? I found it is not so easy using rsync, because this likes root permissions on the backup host because maybe you want perserve UID and such. Having root-rsync access likes to limit the access to same backup-tree, at least. Does you perl-wrapper protects against this? I mean, the cilent can rsync to e.g. /.../backup/client-hostname/ as root, but not below /etc and such? In that case, would you share your script? Thank you! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi *, sorry, sorry for mailing to the List, but seife@community4you.de accepts no mail from MTA behind NAT-GW. ;-(( (Checks the HELO-String, as if this would help anything.) Greetings Dirk Following for seife@community4you.de: Hi, das letzte Mal der Umweg über die Liste. Stefan Seyfried schrieb:
On Sun, Jul 20, 2003 at 12:49:12AM +0200, Dirk Schreiner wrote:
As usual this is done in known_hosts. To force a single Command in in the Key just add the command as shown in front of the Key in the same Line in known_hosts.
s/known_hosts/authorized_keys/
Danke.
command="ssh -l user Server.com" ...key..
and on server.com also allow only one command. This can be tricky, if you have varying options but i solved this by using a perl wrapper for rsyncing my servers onto the backup machine.
Es war der Sinn nur den einen ssh --> intern zu ermöglichen, wo ein vollwertiger ssh-Zugang bereitgestellt wird. Extern hat jeder User sein eigenes Key-Paar. Für einen auf 3 spezifische Befehle eingeschränkten ssh-Zugang macht der Perl-Wrapper aber wirklich Laune ;-)
Dr. Christoph Wegener schrieb:
btw, *please* http://learn.to/quote
UPS, wer solche Links mailt, sollte nicht in der Zeile drüber einen Quoting-Fehler machen. ;-^ Gruss Dirk P.S. Zitateinleitungen ohne Zitat sollten vermieden werden.
participants (7)
-
Dirk Schreiner
-
Dr. Christoph Wegener
-
Markus Gaugusch
-
Schreiner, Dirk
-
Sigfred Håversen
-
Stefan Seyfried
-
Steffen Dettmer