Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'Using ARD and ssh for secure remote administration' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Using ARD and ssh for secure remote administration
Authored by: datasmid on Oct 13, '04 06:09:31PM
Did you try a ppp tunnel over ssh? a.k.a. piercing the firewall.

workmac.intra: The Mac inside the work network 192.168 The firewall of your work
homemac: Your home mac
vpn network home work (unlikely subnet?)

At work
Add these 2 lines to sudoers file of workmac.firm that you got root
sudo visudo

Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route

you should install your ssh-keys on
# start a ssh-tunnel with workmacs ssh-port forwarded over the tunnel from homemac
ssh -X -L 2222:workmac.intra:22
# you will install root@homemac ssh-keys on workmac.intra over the tunnel
For ppp tunneling it is important to get rid of any output on stdout.
So touch your ~/.hushlogin to get rid of banners and disable any funny output if you get it at login.

test all ssh logins before proceding: as yourself as your homeroot to the firewall and to the workmac.
All hosts should be accepted now, and you cannot have prompts for password. You should use the ssh-keys!

# open a new shell<br>
sudo su -
ssh-keygen -t dsa
# just enter till your done (no passphrase)
ssh -p 2222 -l workuser localhost 'mkdir .ssh && chmod 700 .ssh'
scp ~/.ssh/ -P 2222 ~/.ssh/ workuser@localhost:.ssh/pub   
ssh -p 2222 -l workuser localhost 'cat .ssh/pub >> .ssh/authorized_keys2'
# logout all remote shells, to add as known host for root@homemac
sudo ssh

# open the tunnel again 
ssh -X -L 2222:workmac.intra:22
Now run the script (below) and
# get the routing working at home
sudo route add -net 192.168
# you could add the ip of an internal nameserver in Network Prefs to resolve .firm
# to kill when done
sudo kill -9 `ps wax|grep pppd|grep -v grep|awk '{print $1;}'`
this is the script, have phun...

# This script initiates a ppp-ssh vpn connection.
# see the VPN PPP-SSH HOWTO on for more information.
# revision history:
# 1.6 11-Nov-1996  1.7 20-Dec-1999 2.0 16-May-2001
# 3.0 now deep-tunneling to your own Mac where you are Admin 13-Oct-2004
# first pierce the firewall: ssh -L 2222:workmac.intra:22 $
# The username on the VPN server that will run the tunnel.
# For security reasons, this should NOT be root, but a sudo
# authorized, add these lines to sudoers with: sudo visudo
# and add the user to the vpn group
# Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route
# The remote network that the server is your router for
# this is an argument for 
# 128.32 is interpreted as 
# The VPN network interface on the server should use this address:
# ...and on the client, this address:
##### The rest of this file should not need to be changed. #####
# The host name or IP address of the SSH server that we are
# sending the connection request to is tunneled
LOCAL_SSH_OPTS="-p 2222"
if ! test -x $PPPD  ; then echo "can't find $PPPD";  exit 3; fi
if ! test -x $SSH   ; then echo "can't find $SSH";   exit 4; fi
case "$1" in
    ${PPPD} nodetach noauth passive pty "${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -l${SERVER_USERNAME} -o Batchmode=yes sudo ${PPPD} nodetach notty noauth" ${CLIENT_IFIPADDR}:${SERVER_IFIPADDR}
    # /usr/sbin/pppd nodetach noauth passive pty /usr/bin/ssh -p 2222 localhost -l${USER} -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth
    echo "manage your route..."
    echo "sudo route add -net $REMOTE_NET $SERVER_IFIPADDR"

        PID=`ps wax|grep pppd|grep -v grep|awk '{print $1;}'`
        if [ "${PID}" != "" ]; then
          kill $PID
          echo "disconnected."
          echo "Failed to find PID for the connection"

    echo "Usage: $0 {start|stop}"
    exit 1
exit 0

[ Reply to This | # ]