Differences

This shows you the differences between two versions of the page.

Link to this comparison view

internal:ssh [2012/04/25 17:22]
magnum Corrected GPG signing and added ~/ to .ssh path
internal:ssh [2017/01/14 12:52] (current)
solar [How to access intranet servers]
Line 25: Line 25:
 Sometimes you will need to SSH into a server that cannot be reached directly, but can be reached via an intermediary server. ​ We have a policy to avoid cross-server logins (which would allow for a possible compromise to propagate), so running the SSH client on the intermediary server would be inappropriate. ​ Some guides on the Internet recommend the use of ssh-agent(1) on the intermediary server for this, but unfortunately it is similarly risky (it does save you from having to upload your private key, but other than that it does not achieve end-to-end encryption and it lets a possible compromise propagate). Sometimes you will need to SSH into a server that cannot be reached directly, but can be reached via an intermediary server. ​ We have a policy to avoid cross-server logins (which would allow for a possible compromise to propagate), so running the SSH client on the intermediary server would be inappropriate. ​ Some guides on the Internet recommend the use of ssh-agent(1) on the intermediary server for this, but unfortunately it is similarly risky (it does save you from having to upload your private key, but other than that it does not achieve end-to-end encryption and it lets a possible compromise propagate).
  
-The only approach allowed at Openwall is to use SSH over SSH-port-forwarding,​ which achieves end-to-end encryption and avoids the compromise propagation risk (well, as long as you have previously accepted and let your SSH client verify the ultimate target server'​s SSH host key).  To use it, you may put host entries like the following into your ''​~/​.ssh/​config''​ file:+Historically,​ the only approach allowed at Openwall is to use SSH over SSH-port-forwarding,​ which achieves end-to-end encryption and avoids the compromise propagation risk (well, as long as you have previously accepted and let your SSH client verify the ultimate target server'​s SSH host key).  To use it, you may put host entries like the following into your ''​~/​.ssh/​config''​ file:
  
 <​code>​ <​code>​
Line 50: Line 50:
  
 Please note that the ultimate target'​s hostname given in the first SSH command must be spelled the way it will resolve on the intermediate server (or you may indeed specify an IP address for greater assurance). Please note that the ultimate target'​s hostname given in the first SSH command must be spelled the way it will resolve on the intermediate server (or you may indeed specify an IP address for greater assurance).
 +
 +With newer versions of OpenSSH and/or with ''​nc''​ (netcat, ncat) available on intermediate hosts, [[https://​en.wikibooks.org/​wiki/​OpenSSH/​Cookbook/​Proxies_and_Jump_Hosts#​Passing_Through_One_or_More_Gateways_Using_ProxyJump|the ProxyJump or ProxyCommand directive may be used]]. ​ ''​ProxyJump''​ requires OpenSSH 7.3+, and ''​ProxyCommand''​ requires either OpenSSH 5.4+ or ''​nc''​ on intermediate hosts.
internal/ssh.txt ยท Last modified: 2017/01/14 12:52 by solar
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux