[LUNI] SSH Trickery

Demetri Mouratis dmourati at cm.math.uiuc.edu
Thu Feb 8 14:47:27 CST 2007 

On Thu, 8 Feb 2007, Ramin K wrote:

> Demetri Mouratis wrote:
>> On Wed, 7 Feb 2007, John Mason wrote:
>> 
>>> On Wed, Feb 07, 2007 at 04:37:01PM -0600, Demetri Mouratis wrote:
>>>> So, my question is this, is there some crafty way I can tell my client,
>>>> openssh 4.3 to do a "double ssh" for hosts in the production network,
>>>> first hopping through ops2, and then going to the production hosts in the
>>>> protected network?  I have ssh-agent forwarding enabled so this works if 
>>>> I
>>>> do so manually, e.g.:
>>> 
>>> ssh tunnelling. I do this everyday.
>> 
>> John,
>> 
>> Cool! That works and was close to what I had in mind.  Does the fact that I 
>> have twenty hosts and growing in this protected network reveal a solution 
>> that perhaps scales a bit better?  They're all in the same /27 netblock if 
>> that helps.
>> 
>> (I knew about ssh tunnelling but didn't think of applying it in this case. 
>> Glad I threw it out there before wasting any time.)
>> 
>> Thanks!
>
> I'd start thinking about openvpn. IIRC you can also apply security policies 
> on a per users basis though I never bothered since engineers don't have any 
> access to production and no root on staging or development either here.
>
> Connect to your openvpn server in the colo which builds a tunnel, injects 
> some routes to your machine so you know what you can get to, and then you'd 
> have free run to all the machines your policy allows.
>

No development root access for engineeers, eh?  Must be nice.  I tried, 
unsuccesfully first with Eng, then with QA but got beaten back horribly 
until I just said fine.  Now I just take joy each time they screw 
something up and can't figure out why.

The VPN solution is interesting as well.  I think we had that at one point 
but got rid of it. I'll hit up my boss to see what he says as the network 
guy around here.  Me, I just want to know there aren't too many hands in 
the cookie jar.  Implementation is interesting but not something I feel 
strongly about one way or the other.

Thanks again!

-D

More information about the luni mailing list