[LUNI] SSH Trickery
Ramin K
ramin-list at badapple.net
Thu Feb 8 12:04:06 CST 2007
Demetri Mouratis wrote:
> On Wed, 7 Feb 2007, John Mason wrote:
>
>> On Wed, Feb 07, 2007 at 04:37:01PM -0600, Demetri Mouratis wrote:
>>> So, my question is this, is there some crafty way I can tell my client,
>>> openssh 4.3 to do a "double ssh" for hosts in the production network,
>>> first hopping through ops2, and then going to the production hosts in
>>> the
>>> protected network? I have ssh-agent forwarding enabled so this works
>>> if I
>>> do so manually, e.g.:
>>
>> ssh tunnelling. I do this everyday.
>
> John,
>
> Cool! That works and was close to what I had in mind. Does the fact
> that I have twenty hosts and growing in this protected network reveal a
> solution that perhaps scales a bit better? They're all in the same /27
> netblock if that helps.
>
> (I knew about ssh tunnelling but didn't think of applying it in this
> case. Glad I threw it out there before wasting any time.)
>
> Thanks!
I'd start thinking about openvpn. IIRC you can also apply security
policies on a per users basis though I never bothered since engineers
don't have any access to production and no root on staging or
development either here.
Connect to your openvpn server in the colo which builds a tunnel,
injects some routes to your machine so you know what you can get to, and
then you'd have free run to all the machines your policy allows.
Ramin
More information about the luni
mailing list