SSH - to multiple devices help required



  • I have my pfsense setup as a ssh server allowing me to connect via port 443 with an authorized key file - i use putty to maker the connection.
    The purpose of this is to remotely administor/chk logs etc and also i have a tunnel setup by adding 8080 dynamic under putty tunnels then if i use a proxy server of localhost in internet browser i can browse the net securely using my own internet … with me so far?

    Ok here's what i want to do

    I have a linux ubuntu machine setup to accept ssh through port 22 via an authorised key i want to connect to this via ssh from outside

    what is the best way to do this ?

    Would it be to open up  port 22 and forward it in the firewall to the machine ip?

    or is there a way of adding a tunnel in putty allowing me to spawn a shell to the linux machine?

    Thanks for taking the time !!


  • Netgate Administrator

    An easy way to do this would be to ssh into your pfSense machine and then ssh from there to your Ubuntu machine. Things can get confusing when you're running an SSH session inside an SSH session though  ;).

    You should be able to ssh via your socks proxy though. I've never tried this however.

    Steve


  • Rebel Alliance Global Moderator

    have you looked into using openvpn to get into your network remote?  You then could ssh/telnet/rdp whatever you would like to anything on your network via the vpn connection.

    This is how I have it setup, I can then ssh into any box on my network from a remote location.  As a failsafe I have 22 forwarded to one of my linux machines.  Which as you only allows publickey auth, and has sshguard running to keep the logs from filling up with the script kiddies brute force attempts you will see on any ssh server connected to the public net.

    I have this failsafe in place in case I am on a machine where machine does not have admin rights to install openvpn client.  I can always have putty and my key with me on my flash.


  • Rebel Alliance Developer Netgate

    +1 for a proper VPN like OpenVPN.

    Failing that, check this out: http://www.bitvise.com/tunnelier



  • Hi Guys thks for the input, Stephenw10as a test i ssh'd into my pfsense with putty and key as usual and then from there pressed F8 for a shell and ssh'd into my linux box - though maybe a key auth for this one is overkill at the mo seen as though you need to get into my pfsense with a key to access the linux box i the 1st place??

    Johnpoz and jimp what advantage does OpenVPN have over putty? and is it as portable ie i run putty from a flash pen.

    Johnpoz you say you can ssh into your box but have a linux box with port 22 as a failsafe how do you choose between them during the connection do u just specify which port on the same ip?

    Also to put a spin on it has anyone tried RDP to linux box to get a GUI eg xwindow over ssh or vnc etc?


  • Rebel Alliance Global Moderator

    I thought I already went over the advantages of vpn vs putty.

    Once you make the vpn connection, its just like your local to the network - just a bit slower.  So you can ssh, rdp, ftp, smb/cifs to any box you want that is on your network - just like you were there.

    With a ssh connection to one box on your network you have create tunnels to each box and port you would want to connect to on the remote network via your ssh connection.

    Yes openvpn is quite small, and there is portable version you could use - but you have to have admin rights on the machine.  Which may not always be available - which is why I have putty as failsafe. http://portableapps.com/node/32472

    As to how to do I choose between them - openvpn is not running on 22, I have it running on tcp 443 which is normally OPEN no matter where you at, unlike ssh which may or may not be allowed out.


  • Netgate Administrator

    @robpal:

    Stephenw10as a test i ssh'd into my pfsense with putty and key as usual and then from there pressed F8 for a shell and ssh'd into my linux box - though maybe a key auth for this one is overkill at the mo seen as though you need to get into my pfsense with a key to access the linux box i the 1st place??

    Not sure if that's a question but I would agree, no point in having key authentication on the second stage. In fact it's better not to do that. If somneone cracks the key on your ssh session to your pfSense box they would then have the key for your linux box since it would have to be stored on the pfSense box unless you copied it across every time.

    The advantage of using an ssh tunnel or just nested ssh sessions is that ssh is pretty much omnipresent in the unix world so it requires almost no setup.
    I haven't really researched it in security terms but as far as I know SSH with key based authentication is considered secure. As secure as a VPN? Depends on the vpn encryption used. I'm open to opinions.

    Steve


Locked