Saturday, January 23, 2016

How to have ssh tunnel prompt for username & password




We have an windows desktop application that connects to a 3rd party server with a socket connection. The 3rd-party server requires that we connect from a fixed public IP address. We need to connect from various IP addresses, so I setup a (Linux) server to tunnel the connections so that it looks to the 3rd-party server that all connections are coming from the same IP address all the time:



ssh -N -L port:127.0.0.1:port account@ip -p port2



The tunnel appears to be working fine; As a test, I can telnet to it from the account with which it was created.



To allow the windows machines (that run the application) to tunnel through, I added -g to the ssh command line. Now other machines can telnet through the tunnel as well. Everything works so far. However, I want to be able to restrict who can use the tunnel. When I telnet to the Linux server, I expected to be prompted for the username/login of the account that created the tunnel; instead, the connection is just created with no restriction. I don't want to use IP address filtering, since that is the reason I setup the Linux server in the first place (to allow any IP address). How can I get the Linux server to prompt for username/password when connecting to the tunnel from another machine? Would this be done with some additional or different command line options for ssh, or do I need to use something else?



I was expecting to run something like bitvise tunellier on the windows desktop machines. Thus, I would tell the windows desktop application to connect to a local port on the windows machine on which it runs. This local port would be tunneled to the Linux server by tunellier. The Linux server would in turn tunnel to the 3rd-party server.


Answer




If you want to require authentication, then you should probably drop the -g option to make the tunnel available to the network. Then require everyone who needs access to the tunnel to the remote system establish a connection to your SSH server with a tunnel.




How can I get the Linux server to prompt for username/password when connecting to the tunnel from another machine?




There is nothing built into SSH that is going to automatically add an authentication step on-top of a telnet session. The simple solution as I suggested above is to only permit access to the tunnel if the user can authentication to the ssh server. You could get a similar result with a VPN between the clients and the SSH server.



I am not sure about the exactly nature of whatever this tunnel is providing, but you could setup an account on the SSH server. Then configure this account to automatically run telnet to connect to this tunneled connection.




So you might do something like create an account tunnelaccess then add something like this to your sshd_config. So whenever a user logs in as tunnelaccess the command to connect to the remote tunnel would immediately happen.



  Match User username
AllowTCPForwarding no
X11Forwarding no
ForceCommand connect tunnel # replace with tool to connect to tunnel

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...