From: Jason P. <ja...@pn...> - 2004-04-30 02:24:17
|
His reason of having DNAT net loc:192.168.10.22:22 tcp 2022 Is because of him running sshd on the firewall itself too. Thus your suggestion of using port forwarding will disallow access to sshd on the firewall itself. Regards, Jason -----Original Message----- From: sho...@li... [mailto:sho...@li...] On Behalf Of Patrick Benson Sent: Friday, April 30, 2004 8:30 AM To: Mailing List for Shorewall Users Cc: techz Subject: Re: [Shorewall-users] Oddball ssh setup techz wrote: > > I am asking here because this is the list most likely to have the answer that > I am currently a member of. > > I am trying to do something a bit more complex than this, but I will simplify > because I am confident that II solve the simpler case, I will have no problem > with the more difficult case. > > So, here is the setup. > > Shorewall box with 2 interfaces, public and loc. > > 2 linux boxes sitting in loc and each running sshd. > > I want to be able to ssh into either box in loc, or the shorewall box which > is also running sshd. > > DNAT net loc:192.168.10.22:22 tcp 2022 > DNAT net loc:192.168.10.23:22 tcp 2023 > > Here is the problem. Let's say I have already ssh'd into the shorewall box. > When I try to ssh into one of the other boxes, my ssh client complains about > a man in the middle attack and aborts. If I delete the shorewall box's info > from the known_hosts file then I can reach another box. > > Does anyone know of a clean and safe way to do what I want that does not > entail constantly editing the known_hosts file on the outside box running the > ssh client? > > all the best, > > drew Drew, That seems to be a bit more complicated than need be, which also leads to unecessary confusion. You may have your reasons for doing so but preferably I would use a single point of entry, like portforwarding to one of those 2 boxes on the inside, for example: DNAT net loc:192.168.10.22 tcp 22 Just use a normal user account and harden the sshd_config file. If you are only going to use a few predefined ip's from the outside just place them after the "net" with a bracket separated by a comma, net:ip1,ip2. You then decide how to access the shorewall box + the other internal machine with separate user accounts and/or use "su". You could even log on as root directly to the shorewall box. This way you can keep separate keys for each account/logon, you can even use the same key if you have the same account on all three. Your choice.. Regards, -- Patrick Benson Stockholm, Sweden _______________________________________________ Shorewall-users mailing list Post: Sho...@li... Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm |