I am asking here because this is the list most likely to have the answer that I am currently a member of. I am trying to do something a bit more complex than this, but I will simplify because I am confident that II solve the simpler case, I will have no problem with the more difficult case. So, here is the setup. Shorewall box with 2 interfaces, public and loc. 2 linux boxes sitting in loc and each running sshd. I want to be able to ssh into either box in loc, or the shorewall box which is also running sshd. DNAT net loc:192.168.10.22:22 tcp 2022 DNAT net loc:192.168.10.23:22 tcp 2023 Here is the problem. Let''s say I have already ssh''d into the shorewall box. When I try to ssh into one of the other boxes, my ssh client complains about a man in the middle attack and aborts. If I delete the shorewall box''s info from the known_hosts file then I can reach another box. Does anyone know of a clean and safe way to do what I want that does not entail constantly editing the known_hosts file on the outside box running the ssh client? all the best, drew
On 29 Apr 2004 at 16:41, techz wrote:> I am asking here because this is the list most likely to have the > answer that I am currently a member of. > > I am trying to do something a bit more complex than this, but Iwill> simplify because I am confident that II solve the simpler case, Iwill> have no problem with the more difficult case. > > So, here is the setup. > > Shorewall box with 2 interfaces, public and loc. > > 2 linux boxes sitting in loc and each running sshd. > > I want to be able to ssh into either box in loc, or the shorewallbox> which is also running sshd. > > DNAT net loc:192.168.10.22:22 tcp 2022 > DNAT net loc:192.168.10.23:22 tcp 2023 > > Here is the problem. Let''s say I have already ssh''d into theshorewall> box. When I try to ssh into one of the other boxes, my ssh client > complains about a man in the middle attack and aborts. If I deletethe> shorewall box''s info from the known_hosts file then I can reach > another box.Are you trying to connect to .22 from a ssh session in the shorewall box, or from another session on the machine where you are sitting? If the latter, (another session) use your hosts file to create another name for the shorewall box, (because that''s how things are stored in known hosts). So when you ssh to shorewall:2022 it looks up shorewall''s key in known hosts and it does not match what .22 is sending. But if you connect to shorewall-alias:2022 it will store that key under a different key in known hosts. On the other hand ..... If you are sitting in a ssh shell prompt on shorewall box and try to connect directly to 192.168.10.22 on port 22 you should have no problem. I do this all the time. You might have a problem trying to connect again to shorewall-box:2022, in this case, but why would you do that? -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
techz wrote:> > I am asking here because this is the list most likely to have the answer that > I am currently a member of. > > I am trying to do something a bit more complex than this, but I will simplify > because I am confident that II solve the simpler case, I will have no problem > with the more difficult case. > > So, here is the setup. > > Shorewall box with 2 interfaces, public and loc. > > 2 linux boxes sitting in loc and each running sshd. > > I want to be able to ssh into either box in loc, or the shorewall box which > is also running sshd. > > DNAT net loc:192.168.10.22:22 tcp 2022 > DNAT net loc:192.168.10.23:22 tcp 2023 > > Here is the problem. Let''s say I have already ssh''d into the shorewall box. > When I try to ssh into one of the other boxes, my ssh client complains about > a man in the middle attack and aborts. If I delete the shorewall box''s info > from the known_hosts file then I can reach another box. > > Does anyone know of a clean and safe way to do what I want that does not > entail constantly editing the known_hosts file on the outside box running the > ssh client? > > all the best, > > drewDrew, That seems to be a bit more complicated than need be, which also leads to unecessary confusion. You may have your reasons for doing so but preferably I would use a single point of entry, like portforwarding to one of those 2 boxes on the inside, for example: DNAT net loc:192.168.10.22 tcp 22 Just use a normal user account and harden the sshd_config file. If you are only going to use a few predefined ip''s from the outside just place them after the "net" with a bracket separated by a comma, net:ip1,ip2. You then decide how to access the shorewall box + the other internal machine with separate user accounts and/or use "su". You could even log on as root directly to the shorewall box. This way you can keep separate keys for each account/logon, you can even use the same key if you have the same account on all three. Your choice.. Regards, -- Patrick Benson Stockholm, Sweden
His reason of having DNAT net loc:192.168.10.22:22 tcp 2022 Is because of him running sshd on the firewall itself too. Thus your suggestion of using port forwarding will disallow access to sshd on the firewall itself. Regards, Jason -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Patrick Benson Sent: Friday, April 30, 2004 8:30 AM To: Mailing List for Shorewall Users Cc: techz Subject: Re: [Shorewall-users] Oddball ssh setup techz wrote:> > I am asking here because this is the list most likely to have the answerthat> I am currently a member of. > > I am trying to do something a bit more complex than this, but I willsimplify> because I am confident that II solve the simpler case, I will have noproblem> with the more difficult case. > > So, here is the setup. > > Shorewall box with 2 interfaces, public and loc. > > 2 linux boxes sitting in loc and each running sshd. > > I want to be able to ssh into either box in loc, or the shorewall boxwhich> is also running sshd. > > DNAT net loc:192.168.10.22:22 tcp 2022 > DNAT net loc:192.168.10.23:22 tcp 2023 > > Here is the problem. Let''s say I have already ssh''d into the shorewallbox.> When I try to ssh into one of the other boxes, my ssh client complainsabout> a man in the middle attack and aborts. If I delete the shorewall box''sinfo> from the known_hosts file then I can reach another box. > > Does anyone know of a clean and safe way to do what I want that does not > entail constantly editing the known_hosts file on the outside box runningthe> ssh client? > > all the best, > > drewDrew, That seems to be a bit more complicated than need be, which also leads to unecessary confusion. You may have your reasons for doing so but preferably I would use a single point of entry, like portforwarding to one of those 2 boxes on the inside, for example: DNAT net loc:192.168.10.22 tcp 22 Just use a normal user account and harden the sshd_config file. If you are only going to use a few predefined ip''s from the outside just place them after the "net" with a bracket separated by a comma, net:ip1,ip2. You then decide how to access the shorewall box + the other internal machine with separate user accounts and/or use "su". You could even log on as root directly to the shorewall box. This way you can keep separate keys for each account/logon, you can even use the same key if you have the same account on all three. Your choice.. Regards, -- Patrick Benson Stockholm, Sweden _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Jason Png wrote:> His reason of having > > DNAT net loc:192.168.10.22:22 tcp 2022 > > Is because of him running sshd on the firewall itself too. > > Thus your suggestion of using port forwarding will disallow access to sshd > on the firewall itself. >I personally only open *ONE* sshd to the internet (one of my internal systems). While on the road, once I have established a connection to that internal system, I can launch additional sessions to other systems as needed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > Jason Png wrote: > > > His reason of having > > > > DNAT net loc:192.168.10.22:22 tcp 2022 > > > > Is because of him running sshd on the firewall itself too. > > > > Thus your suggestion of using port forwarding will disallow access to sshd > > on the firewall itself. > > > > I personally only open *ONE* sshd to the internet (one of my internal > systems). While on the road, once I have established a connection to > that internal system, I can launch additional sessions to other systems > as needed.That''s exactly what I was suggesting...... :-) Opening up several points of entry from the net is courting with disaster. -- Patrick Benson Stockholm, Sweden
Thanks to everyone who replied. The situation I envisioned was a bit more complicate than the one I described. I just felt that by solving the situation I described, I would easily be able to solve the situation I had in mind. Actually, I wanted to be able to give access to a semi-trusted (ie, not of our organization) third party to a box sitting behind two shorewall forewalls from which they could telnet to another box behind the same two firewalls. Talking it over with a friend last night, we came up with another solution which I have just tested and it liiks like it will work. I set up an account on each of the firewalls for this person. On the first firewall, the shell for the user is a script which sshes into the second firewall. On the second firewall, the shell for the user is a script which telnets into the other box. This saves me from the problem I was hahing and also from the need to set up a new box and give a shell account on it to the person in question. I do feel like the idea given below wrt the hosts files would also solve the problem I was having and would have allowed my original idea to work, although, thinking about the whole thing now, since the thrid party would have no cause to hit the box on port 22, it may be that I was trying to solve a problem that only existed in testing and would not have come up in production. In any case, I feel like it was worth my time and hope I did not cause anyone unnecessary trouble. On Thursday 29 April 2004 07:29 pm, you wrote:> On 29 Apr 2004 at 16:41, techz wrote: > > I am asking here because this is the list most likely to have the > > answer that I am currently a member of. > > > > I am trying to do something a bit more complex than this, but I > > will > > > simplify because I am confident that II solve the simpler case, I > > will > > > have no problem with the more difficult case. > > > > So, here is the setup. > > > > Shorewall box with 2 interfaces, public and loc. > > > > 2 linux boxes sitting in loc and each running sshd. > > > > I want to be able to ssh into either box in loc, or the shorewall > > box > > > which is also running sshd. > > > > DNAT net loc:192.168.10.22:22 tcp 2022 > > DNAT net loc:192.168.10.23:22 tcp 2023 > > > > Here is the problem. Let''s say I have already ssh''d into the > > shorewall > > > box. When I try to ssh into one of the other boxes, my ssh client > > complains about a man in the middle attack and aborts. If I delete > > the > > > shorewall box''s info from the known_hosts file then I can reach > > another box. > > Are you trying to connect to .22 from a ssh session in the > shorewall box, or from another session on the > machine where you are sitting? > > If the latter, (another session) use your hosts file to create > another > name for the shorewall box, (because that''s how things are stored > in known hosts). So when you ssh to shorewall:2022 it looks up > shorewall''s key in known hosts and it does not match what > .22 is sending. > > But if you connect to shorewall-alias:2022 it will store that > key under a different key in known hosts. > > On the other hand ..... > If you are sitting in a ssh shell prompt on shorewall box > and try to connect directly to 192.168.10.22 on port > 22 you should have no problem. > I do this all the time. > You might have a problem trying to connect again to > shorewall-box:2022, in this case, but why would you > do that?