convex001
asked on
ssh proxy for DMZ?
Hi,
A requirement has come up for the implementation of an ssh proxy in our dmz to proxy inbound and outbound connections. I was wondering how I'd go about setting up an ssh proxy that can be used from the clients command line (like the suse ftp proxy). Use of a socks proxy is not an option, it needs to be something that can be specified in the username field on the client side. Please let me know what you've got.
Thanks,
Dave
A requirement has come up for the implementation of an ssh proxy in our dmz to proxy inbound and outbound connections. I was wondering how I'd go about setting up an ssh proxy that can be used from the clients command line (like the suse ftp proxy). Use of a socks proxy is not an option, it needs to be something that can be specified in the username field on the client side. Please let me know what you've got.
Thanks,
Dave
ASKER
it will be in the middle of a firewall sandwich, so I don't know if you could really consider it a bastion host. But it needs to be as transparent in the sense that users shouldn't be connecting to a shell on the machine...let me give an example of how the ftp proxy works;
- make a connection to ftp-proxy.abc.com
- as a login name use
"target_ftp_server_login_n
- as a password use the target_ftp_server password
Example:
I would like to connect to ftp.nice.com, with a login name "myname" and a
"mypass" password:
- connect to ftp-proxy.abc.com
- login name: myname%ftp.nice.com
- password: mypass
I'd like to see this done with ssh and sftp aswell. any ideas?
-dave
- make a connection to ftp-proxy.abc.com
- as a login name use
"target_ftp_server_login_n
- as a password use the target_ftp_server password
Example:
I would like to connect to ftp.nice.com, with a login name "myname" and a
"mypass" password:
- connect to ftp-proxy.abc.com
- login name: myname%ftp.nice.com
- password: mypass
I'd like to see this done with ssh and sftp aswell. any ideas?
-dave
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The problem with ssh is that it's end-to-end secure.
a HTTP or FTP proxy effectibvley executes a man-in-the-middel attack, pretending to be the server for the client and visa versa.
I believe MS has such a web-proxy for HTTPS. It pretends to be a fake CA, then generates fake certificates for all the sites you go to using https. Using the fake certificates it is able to re-encrypt the traffic in such a way that your browser trusts it (after manually iporting the original fake-CA certificate).
I guess you could do something similar to ssh, but it does introduce a common weakness to all ssh comms.
You could run a web-based ssh client on the DMZ server, so from inside the company you browse to https://dmz.example.com, a web-based ssh client starts up and you use that to connect to the outside world.
I guess it really depends on what problem you're trying to solve, i.e. why you're not just letting internal systems connect directly.
a HTTP or FTP proxy effectibvley executes a man-in-the-middel attack, pretending to be the server for the client and visa versa.
I believe MS has such a web-proxy for HTTPS. It pretends to be a fake CA, then generates fake certificates for all the sites you go to using https. Using the fake certificates it is able to re-encrypt the traffic in such a way that your browser trusts it (after manually iporting the original fake-CA certificate).
I guess you could do something similar to ssh, but it does introduce a common weakness to all ssh comms.
You could run a web-based ssh client on the DMZ server, so from inside the company you browse to https://dmz.example.com, a web-based ssh client starts up and you use that to connect to the outside world.
I guess it really depends on what problem you're trying to solve, i.e. why you're not just letting internal systems connect directly.
you can proxy the traffic via an http tunnel thru a proxy server.
take a look at this, it describes how to do it.
http://docs.jamisbuck.org/read/chapter/7
my strong advice to you however is to use a bastion host in your DMZ, you should never allow this sort of connection from unknown networks. They should come into a secure and monitored bastion and from there they access your internal resources.
What your doing is very risky and becuase its encypted, you will not be able to monitor it.
take a look at this, it describes how to do it.
http://docs.jamisbuck.org/read/chapter/7
my strong advice to you however is to use a bastion host in your DMZ, you should never allow this sort of connection from unknown networks. They should come into a secure and monitored bastion and from there they access your internal resources.
What your doing is very risky and becuase its encypted, you will not be able to monitor it.
Inbound or outbound?
Do you realy mean a proxy, or something fomerly known a "bastion host"?