[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RE: [suse-security] SCP-proxy / SFTP-proxy wanted



Hi Christoph,

you got a clear and well-working way to
do the job. And if you have not too dumb users,
this should work.

But you mentioned something about "WI?" ;-)

So if the User`s need a verry easy way to access
the Server, you could do some real magic ;-)
(Although is is something more Work to implement.)


I guess, outside is a System produced in Redmond.
So you need a graphical Interface. 
Use WinScp.

Generate a Public-Private Key pair with Passphrase for 
each User.

Put the Public-Key in the Home-Directory of the 
Win-User.
This can be opend using pagent (Putty.)

Put the Private-Key on the Gateway-Server, and implement
a single command in this Key.
(e.g. ssh -l user inside-host  /bin/scp ;-))

If wanted, create another public-private Pair to
authenticate the second connection on inside-Host.
So no more Password is needed after opening 
the first Public-Key on outside with pagent.

Use WinScp like explorrer.

Outside hacked --> delete Key`s on gateway.

Most of the configuration can be distributed by mail 
to the User on Outside.

Didn`t test exact this configuration, but it should work.

Greetings 

      Dirk










-----Original Message-----
From:	Dr. Christoph Wegener [mailto:cwe@xxxxxxxxxxxxxxxxxxxxxx]
Sent:	Thu 17.07.2003 10:46
To:	suse-security@xxxxxxxx; Schreiner, Dirk
Cc:	
Subject:	Re: RE: [suse-security] SCP-proxy / SFTP-proxy wanted
Hi Dirk,
thanks for your suggestion - that is exactly what I was probing 
yesterday evening. First I had some probs with the port 
redirection of scp (sometimes it is -p, on another machine it 
might be -P) but now it works. And it turns out that even most 
graphical WI? clients are able to work with such a setup.

Well, I'll give you a short description of my net first:

outside -|- ssh-gateway -|- inside
         |               |
      firewall         firewall


Then I did the following:

On the outside-machine I started an ssh tunnel to our ssh-
gateway:

# ssh -L 1234:<machine>.inside.net:22 <user_on_ssh_-gateway>
@ssh-gateway

When the tunnel was up, I opened another session and did the 
following:

# scp -P 1234 <source-file> <user_on_inside>@localhost:
<destination-file>

Works like a charm, but maybe there is an easier solution?

Thanks in advance
Christoph

16.7.2003 19:37:32,"Schreiner, Dirk" <Dirk.Schreiner@xxxxxxx> 
wrote:

>Hi,
>
>SCP and SFTP use SSH.
>And there will be no 
>PROXY for SSH due to the Protocol ;-)
>
>But there are some WorkArounds like Port redirect.
>You should describe exactly what you want to do,
>so we can see if this is possible.
>
>Describe the network also.
>
>Greetings
>        Dirk
>
>
>
>-----Original Message-----
>From:	Dr. Christoph Wegener 
[mailto:christoph.wegener@xxxxxxxxxxxxxxxxxxxxxx]
>Sent:	Wed 16.07.2003 18:01
>To:	suse-security@xxxxxxxx
>Cc:	
>Subject:	[suse-security] SCP-proxy / SFTP-proxy wanted
>Hi list,
>does somebody know a solution for a transparent SCP-proxy or  
>SFTP-proxy? In the moment we are running SuSE's ftp-prxy but I 
>want to avoid cleartext password as soon as possible...
>
>Thanks in advance
>Christoph
>
>PS: Yes I did a google search but that was not very 
helpfull...
>--
>    .-.                              Ruhr-Universitaet Bochum
>    /v\    L   I   N   U   X         Lehrstuhl fuer Biophysik
>   // \\  >Penguin Computing<        c/o Dr. Christoph Wegener
>  /(   )\                            Gebaeude ND 04/Nord
>   ^^-^^                             D-44780 Bochum, GERMANY
>
>Tel: +49 (234) 32-25754              Fax: +49 (234) 32-14626
>mailto:christoph.wegener@xxxxxxxxxx  http://www.bph.rub.de
>
>"Snowflakes are one of nature's most fragile things, but just
>look what they can do when they stuck together." (Vesta Kelly)
>
>
>
>
>
>
>
>-- 
>Check the headers for your unsubscription address
>For additional commands, e-mail: suse-security-help@xxxxxxxx
>Security-related bug reports go to security@xxxxxxx, not here 
> 
>TRIA IT-consulting GmbH 
>Rosenkavalierplatz 4 
>81925 München 
>Germany 
>Tel: +49 (89) 92907-0 
>Fax: +49 (89) 92907-100 
>http://www.tria.de
> 
>--------------------------------------------------------
>
> 
> working hard | for your success
> 
>
> 
>--------------------------------------------------------
>
> 
>Registergericht München 
>HRB 113466 
> 
>USt.-IdNr. DE 180017238 
>Steuer-Nr. 802/40600 
> 
>Geschäftsführer: 
>Hubertus Wagenhäuser 
>
> 
>--------------------------------------------------------
> Nachricht von: 
>Dirk.Schreiner@xxxxxxx 
> 
>Nachricht an: 
>christoph.wegener@xxxxxxxxxxxxxxxxxxxxxx, suse-
security@xxxxxxxx 
> 
># Dateianhänge: 0
> 
>Die Mitteilung dieser E-Mail ist vertraulich und nur für den 
oben genannten Empfänger bestimmt. Wenn Sie nicht der 
vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung 
an ihn betraut sind, weisen wir darauf hin, daß jede Form der 
Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie 
Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in 
diesem Fall umgehend zu unterrichten. 
>Vielen Dank 
> 
>The information contained in this E-Mail is privileged and 
confidental intended only for the use of the individual or 
entity named above. If the reader of this message is not the 
intended recipient or competent to deliver it to the intended 
recipient, you are hereby notified that any dissemination, 
distribution or copying of this E-Mail is strictly prohibited. 
If you have received this E-Mail in error, please notify us 
immediately. 
>Thank you 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
>-- 
>Check the headers for your unsubscription address
>For additional commands, e-mail: suse-security-help@xxxxxxxx
>Security-related bug reports go to security@xxxxxxx, not here
>
>

--
    .-.                              Ruhr-Universitaet Bochum
    /v\    L   I   N   U   X         Lehrstuhl fuer Biophysik
   // \\  >Penguin Computing<        c/o Dr. Christoph Wegener
  /(   )\                            Gebaeude ND 04/Nord
   ^^-^^                             D-44780 Bochum, GERMANY

Tel: +49 (234) 32-25754              Fax: +49 (234) 32-14626
mailto:christoph.wegener@xxxxxxxxxx  http://www.bph.rub.de

"Snowflakes are one of nature's most fragile things, but just
look what they can do when they stuck together." (Vesta Kelly)






--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here