Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Using ARD and ssh for secure remote administration Network
I have a few headless servers that I maintain with Apple Remote Desktop (ARD) over the Internet. This is not a tutorial on ARD or ssh, but a way to put simple tools together to make things more secure. I don't fully trust the ARD protocol, so I don't want to leave the port open. It is not possible to use ARD over ssh because ARD uses UDP packets that ssh can't forward the same way IPSec tunnels allow to. But IPSec tunnels can be a pain to configure and maintain, and are certainly not within reach of everyone. The servers all sit behind AirPort base stations set to only forward port 22 (ssh) to them. The ssh daemon is running on all servers.
  1. Create a tunnel using the following command:
    
    ssh -L 5009:10.0.1.1:5009 root@server-nnn.dyndns.org
    
    Where:
    • 10.0.1.1 -> private IP address of the base station.
    • server-nnn.dyndns.org -> public IP address of the base station, maintained using the DNSUpdate tool.

  2. Use the Airport Admin Utility to connect to localhost and reach the remote base station.

  3. Turn on forwarding of port 3283 on the base station.

  4. Connect directly via ARD to the public address server-nnn.dyndns.org.
When done, remove the forwarding of port 3283 on the base station. Easy!
    •    
  • Currently 1.67 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[12,000 views]  

Using ARD and ssh for secure remote administration | 11 comments | Create New Account
Click here to return to the 'Using ARD and ssh for secure remote administration' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Tunnelling?
Authored by: pwharff on Nov 11, '03 12:16:04PM

I've always been a bit confused on the concept of tunnelling. What is the 5009 for? Also, would I use tunnelling if I wanted to connect to multiple computers using ssh that are behind a NAT enabled router/firewall??? And if so, how would I do that. Here is my config

ROUTER: 192.168.1.1 and subdomain.mydomain.com
MAC 1: 192.168.1.90
MAC 2: 192.168.1.8

As of right now, I have my router forward port 22 to my .90 Mac and then once I'm logged in, I have to ssh again to get to the .8 Mac. How can I ssh directly to any one of them? Tunnelling maybe?



[ Reply to This | # ]
Tunnelling?
Authored by: dacloutier on Nov 11, '03 01:49:02PM

You could probably ssh directly just by changing the port forwarding. Using Airport Admin Utility you forward port 22 to port 22 on one box, and you could forward another port (say 9000) to port 22 on the other box. When you ssh to the second box, use the -p option. (e.g. ssh -p 9000 me@mysecondbox)

Note that scp requires an uppercase -P instead of a lower case -p.

You could skip the -p option altogether by putting the folowing lines into your .ssh/config file on the workstation from where you are ssh'ing:


Host mysecondbox
          User me
          Port 9000

Now you should be able to "ssh mysecondbox" with no fuss, muss, or tunneling. (Although it's true that tunneling has some GREAT uses!!!!!)

Hopefully I've got the syntax correct -- do a "man ssh_config" for more info.

Dave



[ Reply to This | # ]
Tunnelling?
Authored by: pwharff on Nov 11, '03 04:49:47PM

Actually, I want to ssh to both machines directly, without having to change the port forwarding everytime. Does anyone know how to tunnell this?



[ Reply to This | # ]
Tunnelling?
Authored by: grrl_geek on Nov 11, '03 07:01:37PM

Easily enough. Change the port SSH is listening on for one of your Macs.

To do this, edit the /etc/sshd_config file (you will need to have root privs to do this ).

You'll see a line that says
#Port 22

Delete the hash mark and change the number, so you get this:
Port XXXX

where XXXX is the number you want to listen on. I use 2222, for example.

SSH can listen on multiple ports at one. I do this on my Linux box. It listens on both the standard 22 port and on 2222. On the LAN side, I can connect to either. On the Internet side, I have my router only forward the 2222 port, to confuse the script kiddiez.

To do this, you need to have two lines in your sshd_config file:

Port 22
Port 2222

---
~~~~~~~~~~~~~
Sinker sucker socks pants, apocryphal awry!



[ Reply to This | # ]
Tunnelling?
Authored by: pwharff on Nov 14, '03 02:36:35AM

Wow, I never thought of doing that, but it's such a great idea. How do I restart services in Mac OS X. I know how to do this in Linux.



[ Reply to This | # ]
Tunnelling?
Authored by: pwharff on Nov 14, '03 02:43:35AM

Changing Port to Port 2222 and uncommenting doesn't seem to be working. I even restarted the other computer and port 22 isn't even suppose to work, just port 2222 and port 2222 isn't working, yet port 22 still is. I've restarting "Remote Login" in the preference pane and that didn't work either. Somethings just wrong and I don't even know if OS X is even looking at the "sshd_config" file. Anyone have a clue on how to change the standard ssh port to something else besides 22?



[ Reply to This | # ]
Using ARD and ssh for secure remote administration
Authored by: Thom on Nov 11, '03 11:18:42PM

I maintain a machine at work that's mapped through a hardware-based firewall, e.g. I can access it from outside of the firewall on a public IP address. Normally, this machine is running ARD's client so I can connect to it.

However, I'd like to be able to stop the ARD client via ssh, then modify the machine's ipfw table (or similar) so that it passes all ARD traffic to *another* machine inside the firewall, in case I had to fix something from home. Then, when finished, I'd want to remove that rule and re-start the ARD client on the machine itself.

Is this type of 'ARD NATting / redirecting' possible?



[ Reply to This | # ]
Is it possible to add the password
Authored by: bluap on Nov 12, '03 06:33:15AM

To make a custom litte app I prefer to include the password as well, without needing to make something different at server side. Is this possible ?

---
--
http://bluap.nl



[ Reply to This | # ]
Using ARD and ssh for secure remote administration
Authored by: SimonDorfman.com on Nov 12, '03 10:58:43AM
you write: It is not possible to use ARD over ssh because ARD uses UDP packets

i agree. but then you describe how to set up an ssh tunnel and connect with ARD. either you're contradicting yourself or i'm confused. I tried tunneling ARD via SSH a few months ago and it doesn't work. That led me to use VNC because it uses TCP rather than UDP packets - so it works over an SSH tunnel. ssh tunnels are fun. check out this hint i wrote about securing POP3 and SMTP email with SSH tunneling: http://www.macosxhints.com/article.php?story=20030721022245232

[ Reply to This | # ]
Using ARD and ssh for secure remote administration
Authored by: timhaigh on Nov 12, '03 07:06:22PM

The example given in this hint assumes you allow root login over SSH to create the tunnel for ARD.

i would never allow root logins onto my server its security risk.

I dont enable password authentication and only use public/private keys.

I dont enable root login, su if needed once your in.

I dont enable challenge response authentication.

tunnels are secure but most network admins would never allow root logins.



[ Reply to This | # ]
Using ARD and ssh for secure remote administration
Authored by: datasmid on Oct 13, '04 06:09:31PM
Did you try a ppp tunnel over ssh? a.k.a. piercing the firewall.

workmac.intra: The Mac inside the work network 192.168
fw.work.com: The firewall of your work
homemac: Your home mac
vpn network home 10.9.8.7 work 10.9.8.6 (unlikely subnet?)

At work
Add these 2 lines to sudoers file of workmac.firm that you got root
sudo visudo


Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route
%vpn    ALL=(ALL) NOPASSWD: VPN

you should install your ssh-keys on fw.work.com
# start a ssh-tunnel with workmacs ssh-port forwarded over the tunnel from homemac
ssh -X -L 2222:workmac.intra:22 fwuser@fw.work.com
# you will install root@homemac ssh-keys on workmac.intra over the tunnel
For ppp tunneling it is important to get rid of any output on stdout.
So touch your ~/.hushlogin to get rid of banners and disable any funny output if you get it at login.

test all ssh logins before proceding: as yourself as your homeroot to the firewall and to the workmac.
All hosts should be accepted now, and you cannot have prompts for password. You should use the ssh-keys!


# open a new shell<br>
sudo su -
ssh-keygen -t dsa
# just enter till your done (no passphrase)
ssh -p 2222 -l workuser localhost 'mkdir .ssh && chmod 700 .ssh'
scp ~/.ssh/id_dsa.pub -P 2222 ~/.ssh/id_dsa.pub workuser@localhost:.ssh/pub   
ssh -p 2222 -l workuser localhost 'cat .ssh/pub >> .ssh/authorized_keys2'
# logout all remote shells, to add fw.work.com as known host for root@homemac
sudo ssh fwuser@fw.work.com
logout


# open the tunnel again 
ssh -X -L 2222:workmac.intra:22 fwuser@fw.work.com
Now run the script (below) and
ping 10.9.8.6
# get the routing working at home
sudo route add -net 192.168 10.9.8.6
# you could add the ip of an internal nameserver in Network Prefs to resolve .firm
# to kill when done
sudo kill -9 `ps wax|grep pppd|grep -v grep|awk '{print $1;}'`
this is the script, have phun...

#!/bin/bash
# sshpppvpn.sh
# This script initiates a ppp-ssh vpn connection.
# see the VPN PPP-SSH HOWTO on http://www.linuxdoc.org for more information.
# revision history:
# 1.6 11-Nov-1996 miquels@cistron.nl  1.7 20-Dec-1999 bart@jukie.net 2.0 16-May-2001 bronson@trestle.com
# 3.0 now deep-tunneling to your own Mac where you are Admin 13-Oct-2004 prikkertje@xs4all.nl
# first pierce the firewall: ssh -L 2222:workmac.intra:22 $USER@fw.work.com
# The username on the VPN server that will run the tunnel.
# For security reasons, this should NOT be root, but a sudo
# authorized, add these lines to sudoers with: sudo visudo
# and add the user to the vpn group
# Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route
# %vpn    ALL=(ALL) NOPASSWD: VPN
SERVER_USERNAME=$USER
# The remote network that the server is your router for
# this is an argument for 
# route add -net $REMOTE_NET $SERVER_IFIPADDR
# 128.32 is interpreted as 128.32.0.0 
REMOTE_NET=192.168 
# The VPN network interface on the server should use this address:
SERVER_IFIPADDR=10.9.8.6
# ...and on the client, this address:
CLIENT_IFIPADDR=10.9.8.7
##### The rest of this file should not need to be changed. #####
# The host name or IP address of the SSH server that we are
# sending the connection request to is tunneled
SERVER_HOSTNAME=localhost
LOCAL_SSH_OPTS="-p 2222"
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/:
PPPD=/usr/sbin/pppd
SSH=/usr/bin/ssh
if ! test -x $PPPD  ; then echo "can't find $PPPD";  exit 3; fi
if ! test -x $SSH   ; then echo "can't find $SSH";   exit 4; fi
case "$1" in
  start)
    
    ${PPPD} nodetach noauth passive pty "${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -l${SERVER_USERNAME} -o Batchmode=yes sudo ${PPPD} nodetach notty noauth" ${CLIENT_IFIPADDR}:${SERVER_IFIPADDR}
    # /usr/sbin/pppd nodetach noauth passive pty /usr/bin/ssh -p 2222 localhost -l${USER} -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth 10.0.1.3:10.0.1.4
    echo "manage your route..."
    echo "sudo route add -net $REMOTE_NET $SERVER_IFIPADDR"
    ;;

  stop)
        PID=`ps wax|grep pppd|grep -v grep|awk '{print $1;}'`
        if [ "${PID}" != "" ]; then
          kill $PID
          echo "disconnected."
        else
          echo "Failed to find PID for the connection"
        fi
    ;;

  *)
    echo "Usage: $0 {start|stop}"
    exit 1
    ;;
esac
exit 0


[ Reply to This | # ]