Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

You are in the hall of the mountain king.


computers / comp.security.ssh / Re: Connection through a proxy with PublicKey authentication - how to configure it?

SubjectAuthor
* Connection through a proxy with PublicKey authentication - how to confChris Green
`* Re: Connection through a proxy with PublicKey authentication - how toGrant Taylor
 `* Re: Connection through a proxy with PublicKey authentication - how to confChris Green
  `- Re: Connection through a proxy with PublicKey authentication - how toGrant Taylor

1
Subject: Connection through a proxy with PublicKey authentication - how to configure it?
From: Chris Green
Newsgroups: comp.security.ssh
Date: Sat, 12 Sep 2020 11:46 UTC
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news-peer.in.tum.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Connection through a proxy with PublicKey authentication - how to configure it?
Date: Sat, 12 Sep 2020 12:46:46 +0100
Lines: 24
Message-ID: <62pu2h-99rq1.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net OaEXOdqlN/mjOh+wOhS7MgNjlQNTZLr1mHcOIFjnaEtxbelGI=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:Y/+CS5z9ToKuH1uTdvrB6x10MPw=
User-Agent: tin/2.4.4-20191224 ("Millburn") (Linux/5.4.0-45-generic (x86_64))
View all headers
I currently use password authentication for a connection through a
proxy to my home linux desktop.

Since the connection isn't *always* through a proxy (not necessary if
I'm at home, just connect across the LAN) I have the following in my
~/.ssh/config file:-

    Match host esprimo exec "hostNotLocal esprimo"
        ForwardX11 true
        ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

    host esprimo
        ForwardX11 true

If I add the client laptop's public key to cheddar and esprimo what
else do I need to do to make a connection through cheddar?  I will get
Public Key authentication into cheddar but do I have to add
'ForwardAgent yes' to the proxy section? ... or is something else
needed?


--
Chris Green
·


Subject: Re: Connection through a proxy with PublicKey authentication - how to configure it?
From: Grant Taylor
Newsgroups: comp.security.ssh
Organization: TNet Consulting
Date: Sun, 13 Sep 2020 06:03 UTC
References: 1
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.security.ssh
Subject: Re: Connection through a proxy with PublicKey authentication - how to
configure it?
Date: Sun, 13 Sep 2020 00:03:17 -0600
Organization: TNet Consulting
Message-ID: <rjkcne$oko$1@tncsrv09.home.tnetconsulting.net>
References: <62pu2h-99rq1.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 13 Sep 2020 06:03:26 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="25240"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.6.0
In-Reply-To: <62pu2h-99rq1.ln1@esprimo.zbmc.eu>
Content-Language: en-US
View all headers
On 9/12/20 5:46 AM, Chris Green wrote:
I currently use password authentication for a connection through a proxy to my home linux desktop.

Okay.

Since the connection isn't *always* through a proxy (not necessary if I'm at home, just connect across the LAN) I have the following in my ~/.ssh/config file:-

     Match host esprimo exec "hostNotLocal esprimo"

I don't recognize "hostNotLocal".  Is that a wrapper script that checks to see if the parameter is on the local network or not?

         ForwardX11 true
         ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

You don't need to use nc to do this.  Check out the "-W" option to modern OpenSSH clients.  It saves a process on cheddar.

     host esprimo
         ForwardX11 true

Okay.

If I add the client laptop's public key to cheddar and esprimo what else do I need to do to make a connection through cheddar? I will get Public Key authentication into cheddar but do I have to add 'ForwardAgent yes' to the proxy section? ... or is something else needed?

No, you don't need ForwardAgent.

The ssh connection from your client notebook to cheddar is only used as part of the transport between your client notebook and esprimo.

Your client notebook will be the endpoint for both SSH connection; client & cheddar, as well as client & esprimo.  As such, you client will have the local agent when authenticating to esprimo.

See my Empowering OpenSSH article for a more full description on what's happening.

Link - Empowering OpenSSH
  - https://dotfiles.tnetconsulting.net/articles/2015/0506/empowering-openssh.html

Note:  OpenSSH didn't have the ProxyJump or "-W" options when I wrote this article.  They would streamline this process.

Aside:  You probably should check out ProxyJump and / or "-W".  ;-)



--
Grant. . . .
unix || die


Subject: Re: Connection through a proxy with PublicKey authentication - how to configure it?
From: Chris Green
Newsgroups: comp.security.ssh
Date: Sun, 13 Sep 2020 13:51 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Re: Connection through a proxy with PublicKey authentication - how to configure it?
Date: Sun, 13 Sep 2020 14:51:24 +0100
Lines: 70
Message-ID: <snk13h-kju3.ln1@esprimo.zbmc.eu>
References: <62pu2h-99rq1.ln1@esprimo.zbmc.eu> <rjkcne$oko$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net SQeg7lr9EHAElZD2DL9WfAF1ArImjEsLjtCaueB1F3W5qG++c=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:eM43ggwxdZh1ASvEdzK2JZIDhxo=
User-Agent: tin/2.4.4-20191224 ("Millburn") (Linux/5.4.0-47-generic (x86_64))
View all headers
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 9/12/20 5:46 AM, Chris Green wrote:
I currently use password authentication for a connection through a
proxy to my home linux desktop.

Okay.

Since the connection isn't *always* through a proxy (not necessary
if I'm at home, just connect across the LAN) I have the following in
my ~/.ssh/config file:-

     Match host esprimo exec "hostNotLocal esprimo"

I don't recognize "hostNotLocal".  Is that a wrapper script that checks
to see if the parameter is on the local network or not?

Yes, it's a trivial little script to test if we're on the LAN with
esprimo or not.


         ForwardX11 true
         ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

You don't need to use nc to do this.  Check out the "-W" option to
modern OpenSSH clients.  It saves a process on cheddar.

Yes, I was using the old fashioned way, I now have:-

        ProxyJump cheddar.halon.org.uk

     host esprimo
         ForwardX11 true

Okay.

If I add the client laptop's public key to cheddar and esprimo
what else do I need to do to make a connection through cheddar?
I will get Public Key authentication into cheddar but do I have to
add 'ForwardAgent yes' to the proxy section? ... or is something
else needed?

No, you don't need ForwardAgent.

The ssh connection from your client notebook to cheddar is only used as
part of the transport between your client notebook and esprimo.

Your client notebook will be the endpoint for both SSH connection;
client & cheddar, as well as client & esprimo.  As such, you client will
have the local agent when authenticating to esprimo.

See my Empowering OpenSSH article for a more full description on what's
happening.

Link - Empowering OpenSSH
 -
https://dotfiles.tnetconsulting.net/articles/2015/0506/empowering-openssh.html

Note:  OpenSSH didn't have the ProxyJump or "-W" options when I wrote
this article.  They would streamline this process.

Aside:  You probably should check out ProxyJump and / or "-W".  ;-)

See above, I'm now using ProxyJump, and it 'just works' with the
change to Public Key.  :-)

Thank you.

--
Chris Green
·


Subject: Re: Connection through a proxy with PublicKey authentication - how to configure it?
From: Grant Taylor
Newsgroups: comp.security.ssh
Organization: TNet Consulting
Date: Sun, 13 Sep 2020 17:55 UTC
References: 1 2 3
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.security.ssh
Subject: Re: Connection through a proxy with PublicKey authentication - how to
configure it?
Date: Sun, 13 Sep 2020 11:55:21 -0600
Organization: TNet Consulting
Message-ID: <rjlmej$h3s$1@tncsrv09.home.tnetconsulting.net>
References: <62pu2h-99rq1.ln1@esprimo.zbmc.eu>
<rjkcne$oko$1@tncsrv09.home.tnetconsulting.net>
<snk13h-kju3.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 13 Sep 2020 17:55:31 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="17532"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.6.0
In-Reply-To: <snk13h-kju3.ln1@esprimo.zbmc.eu>
Content-Language: en-US
View all headers
On 9/13/20 7:51 AM, Chris Green wrote:
Yes, it's a trivial little script to test if we're on the LAN with esprimo or not.

Okay.  I was sort of wondering if I was missing a nice little tool.  ;-)

Yes, I was using the old fashioned way, I now have:-

        ProxyJump cheddar.halon.org.uk

See above, I'm now using ProxyJump, and it 'just works' with the change to Public Key.  :-)

*nod*

ProxyJump (and "-W") are nice options.

Thank you.

You're welcome.



--
Grant. . . .
unix || die


1
rocksolid light 0.7.2
clearneti2ptor