Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Using ARD and ssh for secure remote administration' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Using ARD and ssh for secure remote administration
Authored by: datasmid on Oct 13, '04 06:09:31PM
Did you try a ppp tunnel over ssh? a.k.a. piercing the firewall.

workmac.intra: The Mac inside the work network 192.168
fw.work.com: The firewall of your work
homemac: Your home mac
vpn network home 10.9.8.7 work 10.9.8.6 (unlikely subnet?)

At work
Add these 2 lines to sudoers file of workmac.firm that you got root
sudo visudo


Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route
%vpn    ALL=(ALL) NOPASSWD: VPN

you should install your ssh-keys on fw.work.com
# start a ssh-tunnel with workmacs ssh-port forwarded over the tunnel from homemac
ssh -X -L 2222:workmac.intra:22 fwuser@fw.work.com
# you will install root@homemac ssh-keys on workmac.intra over the tunnel
For ppp tunneling it is important to get rid of any output on stdout.
So touch your ~/.hushlogin to get rid of banners and disable any funny output if you get it at login.

test all ssh logins before proceding: as yourself as your homeroot to the firewall and to the workmac.
All hosts should be accepted now, and you cannot have prompts for password. You should use the ssh-keys!


# open a new shell<br>
sudo su -
ssh-keygen -t dsa
# just enter till your done (no passphrase)
ssh -p 2222 -l workuser localhost 'mkdir .ssh && chmod 700 .ssh'
scp ~/.ssh/id_dsa.pub -P 2222 ~/.ssh/id_dsa.pub workuser@localhost:.ssh/pub   
ssh -p 2222 -l workuser localhost 'cat .ssh/pub >> .ssh/authorized_keys2'
# logout all remote shells, to add fw.work.com as known host for root@homemac
sudo ssh fwuser@fw.work.com
logout


# open the tunnel again 
ssh -X -L 2222:workmac.intra:22 fwuser@fw.work.com
Now run the script (below) and
ping 10.9.8.6
# get the routing working at home
sudo route add -net 192.168 10.9.8.6
# you could add the ip of an internal nameserver in Network Prefs to resolve .firm
# to kill when done
sudo kill -9 `ps wax|grep pppd|grep -v grep|awk '{print $1;}'`
this is the script, have phun...

#!/bin/bash
# sshpppvpn.sh
# This script initiates a ppp-ssh vpn connection.
# see the VPN PPP-SSH HOWTO on http://www.linuxdoc.org for more information.
# revision history:
# 1.6 11-Nov-1996 miquels@cistron.nl  1.7 20-Dec-1999 bart@jukie.net 2.0 16-May-2001 bronson@trestle.com
# 3.0 now deep-tunneling to your own Mac where you are Admin 13-Oct-2004 prikkertje@xs4all.nl
# first pierce the firewall: ssh -L 2222:workmac.intra:22 $USER@fw.work.com
# The username on the VPN server that will run the tunnel.
# For security reasons, this should NOT be root, but a sudo
# authorized, add these lines to sudoers with: sudo visudo
# and add the user to the vpn group
# Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route
# %vpn    ALL=(ALL) NOPASSWD: VPN
SERVER_USERNAME=$USER
# The remote network that the server is your router for
# this is an argument for 
# route add -net $REMOTE_NET $SERVER_IFIPADDR
# 128.32 is interpreted as 128.32.0.0 
REMOTE_NET=192.168 
# The VPN network interface on the server should use this address:
SERVER_IFIPADDR=10.9.8.6
# ...and on the client, this address:
CLIENT_IFIPADDR=10.9.8.7
##### The rest of this file should not need to be changed. #####
# The host name or IP address of the SSH server that we are
# sending the connection request to is tunneled
SERVER_HOSTNAME=localhost
LOCAL_SSH_OPTS="-p 2222"
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/:
PPPD=/usr/sbin/pppd
SSH=/usr/bin/ssh
if ! test -x $PPPD  ; then echo "can't find $PPPD";  exit 3; fi
if ! test -x $SSH   ; then echo "can't find $SSH";   exit 4; fi
case "$1" in
  start)
    
    ${PPPD} nodetach noauth passive pty "${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} -l${SERVER_USERNAME} -o Batchmode=yes sudo ${PPPD} nodetach notty noauth" ${CLIENT_IFIPADDR}:${SERVER_IFIPADDR}
    # /usr/sbin/pppd nodetach noauth passive pty /usr/bin/ssh -p 2222 localhost -l${USER} -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth 10.0.1.3:10.0.1.4
    echo "manage your route..."
    echo "sudo route add -net $REMOTE_NET $SERVER_IFIPADDR"
    ;;

  stop)
        PID=`ps wax|grep pppd|grep -v grep|awk '{print $1;}'`
        if [ "${PID}" != "" ]; then
          kill $PID
          echo "disconnected."
        else
          echo "Failed to find PID for the connection"
        fi
    ;;

  *)
    echo "Usage: $0 {start|stop}"
    exit 1
    ;;
esac
exit 0


[ Reply to This | # ]