Have you thought about using IPsec?
Please respond to lericksen@sbcglobal.net
Sent by: listbounce@securityfocus.com
To: secureshell@securityfocus.com
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: SSH tunnel question.
LSN: Not Relevant
User Filed as: Not a Record
I have a need to securely pass traffic from a corporate Intranet server
to a server on the Extranet and in turn have that pass traffic to a
device on the Extranet/management net.
GIVEN:
D = desktop 14.1.2.189
H = hop box 11.10.10.2
E = Extranet box 10.20.1.5
M = IBM Management module on the management network. 10.30.1.6
A member of my team sneaked in a request that when we are on the CORP
VPN we have access to the Extranet server. I hope this goes away soon,
but I have tested this and it works.
using putty first on the desktop... putty -D 8080 -P 22 -ssh E
I then configure IE to talk to a socks server on 8080 and I am able to
access M on ports (80/443, 1044, 1045, and 5900)
now what I want to do is go D -> H ->L -> M
What I have tried so far
- I configure a session to ssh from D to H on port 22
- in the tunnels section I select dynamic
- port 8080
- destination is set to H
I save that make a connection bring up IE, and run a test, my IP is now
reporting that of H rather than my desktop IP.
After that I go back to putty and for the remote ssh command I have
tried
ssh -D 8080 E
ssh -N -D 8080 E
So far no luck with the double hop or the double SOCKS. I want to avoid
having any extra software installed if at all possible to make this
acceptable to my security group. IS this something that I can do, or
will I have to get creative with the -L option (possible -R as well as
-g ) so that I can move ports <1025 to that > 1025 so that I can do this
as a non-root user?
Now I am not looking for the complete solution but a little direction to
solve the problem. But if you want to give the solution that is ok as
well. I may also suggest for security we just stop and H and to go M so
that we do not have unrestricted web access on D.
--
Leif
