{"id":186,"date":"2010-02-13T02:31:22","date_gmt":"2010-02-13T07:31:22","guid":{"rendered":"http:\/\/ebixio.com\/blog\/?p=186"},"modified":"2010-02-13T02:31:22","modified_gmt":"2010-02-13T07:31:22","slug":"tunneling-ssh-option-1","status":"publish","type":"post","link":"http:\/\/ebixio.com\/blog\/2010\/02\/13\/tunneling-ssh-option-1\/","title":{"rendered":"Tunneling ssh &#8211; option 1"},"content":{"rendered":"<p>See the <a href=\"http:\/\/ebixio.com\/blog\/2010\/02\/13\/tunneling-ssh-over-an-http-proxy\/\">previous post<\/a> for an explanation of what we&#8217;re trying to accomplish.<\/p>\n<p>This is a diagram of what the setup looks like. The numbers shown are the TCP ports used by the various components.<\/p>\n<p><div id=\"attachment_210\" style=\"width: 367px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/ebixio.com\/blog\/wp-content\/uploads\/2010\/02\/SSH-1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-210\" src=\"http:\/\/ebixio.com\/blog\/wp-content\/uploads\/2010\/02\/SSH-1.png\" alt=\"SSH directly through Stunnel\" title=\"SSH-1\" width=\"357\" height=\"186\" class=\"size-full wp-image-210\" srcset=\"http:\/\/ebixio.com\/blog\/wp-content\/uploads\/2010\/02\/SSH-1.png 357w, http:\/\/ebixio.com\/blog\/wp-content\/uploads\/2010\/02\/SSH-1-300x156.png 300w\" sizes=\"auto, (max-width: 357px) 100vw, 357px\" \/><\/a><p id=\"caption-attachment-210\" class=\"wp-caption-text\">SSH directly through Stunnel<\/p><\/div><\/p>\n<p>Start by creating a certificate and key to be used by Stunnel (or reuse the web server certificate if you already have one).<\/p>\n<p>Configure Stunnel on the server (<code lang=\"bash\" inline=\"on\">\/etc\/stunnel\/stunnel.conf<\/code>) as follows:<\/p>\n\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\ncert = \/etc\/ssl\/certs\/home.com.crt\r\nkey = \/etc\/ssl\/private\/home.com.key\r\nsslVersion = SSLv3\r\n\r\nchroot = \/var\/lib\/stunnel4\/\r\nsetuid = stunnel4\r\nsetgid = stunnel4\r\n; PID is created inside chroot jail\r\npid = \/stunnel4.pid\r\n\r\n; Service-level configuration\r\n&#x5B;stunnel-ssh]\r\naccept  = 70\r\nconnect = 22\r\n<\/pre>\r\n\r\nAlso on the server, configure libwrap In <code lang=\"bash\" inline=\"on\">\/etc\/hosts.allow<\/code>:\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nstunnel-ssh: ALL\r\n<\/pre>\r\n\r\nOn the client PC, this is the proxytunnel command line you'll need to use:\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nC:\\&gt;proxytunnel.exe -p proxy.work.com:1080 -d home.com:70 -a 70\r\n<\/pre>\r\n\r\nConfigure the work.com stunnel:\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nsslVersion = SSLv3\r\n\r\n; Use it for client mode\r\nclient = yes\r\n\r\n&#x5B;stunnel-ssh]\r\naccept\t= 22\r\nconnect\t= 70\r\n<\/pre>\r\n\r\n<p>Restart stunnel on the server side, and open up port 70 on the firewall.<\/p>\n<p>On the client side:<\/p>\n<ol>\n<li>Start proxytunnel using the command shown above.<\/li>\n<li>Start stunnel. If the stunnel.conf file is in the default location, no command line arguments are needed. If not, pass the config line as a command line argument to stunnel.<\/li>\n<li>Start your ssh client and connect to 127.0.0.1:22<\/li>\n<\/ol>\n<p>Here&#8217;s what&#8217;s going on:<\/p>\n<ul>\n<li>The ssh client connects to port 22 on the localhost<\/li>\n<li>Stunnel is listening on port 22 on the localhost, so it receives that connection and sends it on to port 70 also on the localhost<\/li>\n<li>ProxyTunnel is listening on port 70, so it takes that connection from Stunnel and sends it to home.com:70 through proxy.work.com:1080<\/li>\n<li>Stunnel is listening on port 70 at home.com and when it receives the connection from Apache, it sends it to port 22 on home.com<\/li>\n<li>Finally, sshd is listening on home.com:22 so it receives the connection from Stunnel, allowing the user to log in<\/li>\n<\/ul>\n<p>This is by no means optimal. Packets are encrypted twice: once by ssh and once by stunnel. In the end though, if you have no other option, this should work.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>See the previous post for an explanation of what we&#8217;re trying to accomplish. This is a diagram of what the setup looks like. The numbers shown are the TCP ports used by the various components. Start by creating a certificate and key to be used by Stunnel (or reuse the web server certificate if you [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[12,27,28],"class_list":["post-186","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-linux","tag-ssh","tag-tunnel"],"_links":{"self":[{"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/posts\/186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/comments?post=186"}],"version-history":[{"count":15,"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/posts\/186\/revisions"}],"predecessor-version":[{"id":218,"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/posts\/186\/revisions\/218"}],"wp:attachment":[{"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/media?parent=186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/categories?post=186"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ebixio.com\/blog\/wp-json\/wp\/v2\/tags?post=186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}