encrypted tunel

[ozzy_cow]

Hi,
One of my computers is behind NAT firewall and I would like to get ssh access to it. The problem is that the actual firewall is at the ISP, and I didn't have any luck to get static local ip, or even get them to forward some ports.

What I don now is I start ssh session to my webserver from the computer behind the firewall and forward port, say 10000. Then from home, I connect to the webserver and then ssh localhost to port 10000. This is not very efficient, because I have to be logged in and have ssh session up.

My fedora comes with something called CIPE encrypted tunnel service. Could I use this to "tunnel" to my linux webserver?

Maybe there is a better solution than that, like star the ssh tunnel at boot or something.

Thank you for your help

Oz

[ieatlint]

CIPE is something else...

What you are doing is the best solution... Seems stupid, but unless you can forward ports, you'll need to continue with ssh port forwarding.

If your link is unstable to your webserver, and your ssh session dies on occasions, you can set up key authentication to automatically re-establish the link if and when it fails....

[ozzy_cow]

thank you for your help,

is there a way to do it automatically? so i dont have to have terminal windows open

maybe i can set up a vpn or something

[ieatlint]

There is... but it's kind of a cheap hack.

First you'll need to setup ssh key authentication.
Run:
`ssh-keygen -b 1024 -t dsa`
Don't enter a passphrase (just press enter a couple times).

That will make id_dsa and id_dsa.pub.
Move the id_dsa file to ~/.ssh/id_dsa
Then, add the contents of id_dsa.pub to ~/.ssh/authorized_keys on the server you're connecting to. (Just copy the file to that filename if you're creating that file).

You will no longer be prompted for a password when connecting to that computer now.
To prevent a login shell from occuring, simply add this to your ssh client command:
-e "while true; do true; done"
Which will just give you an everlasting loop, and immediatly detect when/if the connection dies (there's probably a better way to do this... hell, you can write something in php or c in 2min). You can then run the ssh client with a script like:

#!/bin/sh
SSHCMD=ssh -l root -C -e "while true; do true; done" 127.0.0.1
while true; do $SSHCMD; done
#EOF

That will re-create the connection whenever it dies (but killing the script will stop it... SIGINT will work as well).

You could actually turn this into a redhat service.. wouldn't be too hard and you could then start/stop it with like "service sshtunnel start" .....

If you're interested in how to do that, I can provide pretty simple instructions..

[ozzy_cow]

I would be very interested in your instructions on how to turn a shell script into redhat service.

In the meantime I'm trying to get openvpn to work. that would solve my other problem i'm having described in this post

[ieatlint]

First I'd like to point out a mistake I made. The id_dsa file should be named simply "identity" in the same directory as noted above ... oops. Been a while since I setup ssh key auth, so if I made any other mistakes, other people are encouraged to chime in and point them out.

As for the service...

It's actually pretty simple. Here is an example script I setup to run mysql 4 as a redhat service:

/etc/init.d/mysql

#!/bin/sh
# chkconfig: 35 91 35
# description: MySQL

start() {
/usr/local/mysql/bin/mysqld_safe --user=mysql &
}

stop() {
killall mysqld
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
start
stop
;;
*)
echo $"Usage: $0 {start|restart|stop}"
;;
esac
#eof

The 2 comments immediatly below the #!/bin/bash are required! They are interpretted by chkconfig when you setup the service. The 35 indicates that it is to run in init levels 3 and 5 (which is probably what you'd want as well). The other 2 values are start and stop priorities. What I have there should be good enough -- it will be started after networking is up and running. See the man page for chkconfig for more info.

Test the script by running it like...
/etc/init.d/mysql
Will work exactly like it does when you type "service mysql"
If it's working.. type
chkconfig --add mysql
And all done, it's a service.

NOTE that if you setup ssh key auth as I instructed above, you set it up for 1 user, which is not the user that will be running this script. So, you'll want to add the following argument to the ssh client when it's executed:
-i /path/to/identity

I realize this has been written a bit rough... it is enough basic information to get someone started, you'll just need to smooth out the edges. See other services and google.com for reference on getting them all working...

[ozzy_cow]

Thank you for your reply, I'm going to play with this within a couple of days.

I've set up ssh key authentication before, that's how I log in to my dev box