Florz
/
ssh-port-forwarding
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ssh-port-forwarding/README.md

6.0 KiB
Raw Blame History

ssh-port-forwarding

(use plain openssh to do remote port forwarding)

There are many good reasons to do secure port forwarding through ssh. For example if you own two servers in different datacenters and you want to connect to a single service which is less restricted when accessed locally (e.g. port 25 for SMTP) or you want to forward a service from a system behind a firewall (e.g. a web service on your home Server).
Traditionally you would use autossh to manage permanent ssh connections. However through many hours of testing this has prooven unreliable in many ways. When connecting multiple times to the same server autossh by default uses the same ports for monitoring, which leads to the termination of at least one connection. There also were inexplicable cases when sshd remained running on the server, while the client was actually disconnected and could not restore the connection due to the broken process on the server.
Luckily opennsh made autossh redundant because it already offers built-in monitoring. No additional monitoring ports are necessary anymore. However, there are quite a few options that you should know about in order to improve security and reliability of such a setup. This is the motivation behind this tutorial.

Disclaimer

When you follow this guide, you can make otherwise protected services accessible to the public Internet (when using ssh -R). This might be an attack vector into your protected network.
When you don't set restrictions properly, an attacker might gain access to your server, either via direct shell access or through forwarding the port of your unprotected service (e.g. a database on localhost).

Server configuration

First become root through sudo su - or su -.

/etc/ssh/sshd_config

Add or change the following lines:

GatewayPorts clientspecified
ClientAliveInterval 5
ClientAliveCountMax 3

This allows any user to forward his local ports to an unprivileged public port on the server (ssh -R). You have to restrict this late on through the permitlisten variable in the authorized_keys file. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.

special user account

on debian you can run the following:

adduser ssh-port-forwarding --system
su ssh-port-forwarding -s '/bin/bash' -c 'mkdir ~/.ssh/; chmod 700 ~/.ssh/; touch ~/.ssh/authorized_keys'

/etc/passwd should look similar to this:
ssh-port-forwarding:x:1001:65534::/home/ssh-port-forwarding:/usr/sbin/nologin
and ls -lsha ~ssh-port-forwarding/.ssh/ should look like this:

4,0K drwx------ 2 ssh-port-forwarding nogroup 4,0K 18. Feb 22:18 .
4,0K drwxr-xr-x 3 ssh-port-forwarding nogroup 4,0K 18. Feb 22:18 ..
   0 -rw-r--r-- 1 ssh-port-forwarding nogroup    0 18. Feb 22:18 authorized_keys

Configuring access rights

This is all done in /home/ssh-port-forwarding/.ssh/authorized_keys.

First use the ssh-keygen command to create a private and public key pair on the client side. Don't type any password! Then use cat ~/.ssh/id_rsa.pub to display the content of your newly created public key. After that add a new line in the authorized_keys file on the server. Use the following line as an example. Your key starts at AAAA... and this all needs to be in a single line per key.
restrict,command="",port-forwarding,permitlisten="localhost:22",permitopen="localhost:22" ssh-rsa AAAA...

  • restrict: this disables all current and future forwarding options (we will whitelist what we need)
  • command="": don't allow client to send a command, set an empty forced command instead
  • port-forwarding: allow port forwarding
  • permitlisten="localhost:22": restrict client to create (via ssh -R) port 22 on the server only, which will fail (default for security reasons)
  • permitopen="localhost:22": restrict client to access (via ssh -L) ssh port on server only (default for security reasons)

The permitopen and permitlisten options can be used multiple times in a row. The syntax is as follows:

  • permitlisten="[host:]port
    • port is the port on the server that you want to open locally or towards the Internet
    • host specifies on which interface the server should listen for incoming connections. You should either specify localhost or *
      • localhost binds the port to the loopback device and can only be used by processes on the same server
      • * allows access on all ports (e.g. from the Internet) if GatewayPorts clientspecified is set in /etc/ssh/sshd_config
  • permitopen="host:port"
    • host is the hostname or IP address of the server that your server should be allowed to connect to
    • port is the port number on the host that should be allowed to be forwarded to the client

Client side configuration

You should run the client side ssh command in a loop because it is tuned to terminate as soon as errors are detected. Don't worry, this is well tested. If you are old school you simply put this into /etc/rc.local:

#!/bin/bash

(while true; do
        ssh ...
        sleep 30
done) &
disown

exit 0

Don't forget to mark the script as executable: chmod +x /etc/rc.local

The client side ssh command looks like:
ssh ssh-port-forwarding@myserver.example.com -TNnqakx -o "TCPKeepAlive yes" -o "ServerAliveInterval 5" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure yes" -L [...] -R [...]

  • -T
  • -N
  • -n
  • -q
  • -a
  • -k
  • -x
  • -o "TCPKeepAlive yes"
  • -o "ServerAliveInterval 5"
  • -o "ServerAliveCountMax 3"
  • -o "ExitOnForwardFailure yes"
  • -4 (not shown above) is optional to foce ssh to use IPv4 only (in case of problems with IPv6)
  • -L (can be repeated multiple times)
  • -R (can be repeated multiple times)

Please beware that the hostname part in the -L and -R options must be spelled exactly the same as in the permitlisten and permitopen variables on the server ("Localhost", "localhost" and "127.0.0.1" are treated different).