Difference between revisions of "Reverse ssh bridge"
From mn.fysikk.laglivlab
(Started reverse ssh brigde) |
(Added ssh config file description) |
||
| Line 2: | Line 2: | ||
At UiO, for security reasons, the computers which are not managed by the university should be placed on a separate network which is "deeper", it is called the 802.1X network, .1X in short. Some of our computational resources (fys-lab-flow, datacenter computer…) are on this network. | At UiO, for security reasons, the computers which are not managed by the university should be placed on a separate network which is "deeper", it is called the 802.1X network, .1X in short. Some of our computational resources (fys-lab-flow, datacenter computer…) are on this network. | ||
As of now (Nov. 2023), it is no longer possible to ssh a computer on the .1X from a computer which is not on the .1X, which means that it is '''not''' possible to connect to fys-lab-flow from login. But, the inverse is possible: fys-lab-flow can connect to login. | As of now (Nov. 2023), it is no longer possible to ssh a computer on the .1X from a computer which is not on the .1X, which means that it is '''not''' possible to connect to fys-lab-flow from login. But, the inverse is possible: fys-lab-flow can connect to login. | ||
| − | As an SSH connection works both ways once connected (the remote computer can send information to the connecting computer), a way to connect to computers on the .1X network is to keep an SSH connection from the computer on the .1X and login | + | As an SSH connection works both ways once connected (the remote computer can send information to the connecting computer), a way to connect to computers on the .1X network is to keep an SSH connection from the computer on the .1X and login and use this connection on ''reverse'' so that this connection can be accessed from login. |
== Setting up a reverse ssh bridge == | == Setting up a reverse ssh bridge == | ||
| + | * Setup: | ||
| + | ** Your username on login is UiOusername | ||
| + | ** Your username on the .1X machine is Xusername | ||
| + | * Ideally SSH keys should be set between the .1X and login. So you should be able to access login from the .1X computer by typing ''ssh UiOusername@login.uio.no'' and get the connection without typing your password. | ||
| + | * On the .1X computer, a reverse SSH bridge can be started by the command: ''ssh -v -N -R 2225:localhost:22 UiOusername@login.uio.no'' which will establish a reverse connection between port 22 of the .1X machine and port 2225 of the login:localhost. This script needs to keep running. | ||
| + | * On login you should now be able to connect the .1X machine by using: ''ssh Xusername@localhost -p 2225''. | ||
| + | * You can also now access the .1X machine from your computer by establishing a proxy jump on login. This is more easily set by creating configurations in the .ssh/config file. Here is an example of configuration to access login directly by typing ''ssh login'' and fys-lab-flow by jumping on login: | ||
| + | |||
| + | #### FILE BEGIN: .ssh/config | ||
| + | |||
| + | # Settings for login | ||
| + | Host login | ||
| + | User UiOusername | ||
| + | HostName login1.uio.no | ||
| + | |||
| + | # Setting for fys-lab-flow | ||
| + | Host fys-lab-flow | ||
| + | User username | ||
| + | ProxyJump UiOusername@login1.uio.no | ||
| + | HostName localhost | ||
| + | Port 2225 | ||
Revision as of 15:55, 15 November 2023
Usage of a reverse ssh bridge at UiO
At UiO, for security reasons, the computers which are not managed by the university should be placed on a separate network which is "deeper", it is called the 802.1X network, .1X in short. Some of our computational resources (fys-lab-flow, datacenter computer…) are on this network. As of now (Nov. 2023), it is no longer possible to ssh a computer on the .1X from a computer which is not on the .1X, which means that it is not possible to connect to fys-lab-flow from login. But, the inverse is possible: fys-lab-flow can connect to login. As an SSH connection works both ways once connected (the remote computer can send information to the connecting computer), a way to connect to computers on the .1X network is to keep an SSH connection from the computer on the .1X and login and use this connection on reverse so that this connection can be accessed from login.
Setting up a reverse ssh bridge
- Setup:
- Your username on login is UiOusername
- Your username on the .1X machine is Xusername
- Ideally SSH keys should be set between the .1X and login. So you should be able to access login from the .1X computer by typing ssh UiOusername@login.uio.no and get the connection without typing your password.
- On the .1X computer, a reverse SSH bridge can be started by the command: ssh -v -N -R 2225:localhost:22 UiOusername@login.uio.no which will establish a reverse connection between port 22 of the .1X machine and port 2225 of the login:localhost. This script needs to keep running.
- On login you should now be able to connect the .1X machine by using: ssh Xusername@localhost -p 2225.
- You can also now access the .1X machine from your computer by establishing a proxy jump on login. This is more easily set by creating configurations in the .ssh/config file. Here is an example of configuration to access login directly by typing ssh login and fys-lab-flow by jumping on login:
- FILE BEGIN: .ssh/config
- Settings for login
Host login User UiOusername HostName login1.uio.no
- Setting for fys-lab-flow
Host fys-lab-flow User username ProxyJump UiOusername@login1.uio.no HostName localhost Port 2225
