Onion Information

Page Clicks: 1

First Seen: 03/11/2024

Last Indexed: 10/21/2024

Domain Index Total: 195

In order to investigate a bug I was running into , I recently had to give my colleague ssh access to my laptop behind a firewall. The easiest way I found to do this was to create an account for him on my laptop, and setup a pagekite frontend on my personal server and a pagekite backend on my laptop. Frontend setup Setting up my server in order to make the ssh service accessible and proxy the traffic to my laptop was fairly straightforward. First, I had to install the pagekite package (already in Debian and Ubuntu) and open up a port on my firewall by adding the following to both /etc/network/iptables.up.rules and /etc/network/ip6tables.up.rules : A INPUT -p tcp --dport 10022 -j ACCEPT Then I created a new CNAME for my server in DNS: pagekite.fmarier.org. 3600 IN CNAME fmarier.org. With that in place, I started the pagekite frontend using this command: pagekite --clean --isfrontend --rawports=virtual --ports=10022 --domain=raw:pagekite.fmarier.org:Password1 Backend setup After installing the pagekite and openssh-server packages on my laptop and creating a new user account: adduser roc I used this command to connect my laptop to the pagekite frontend: pagekite --clean --frontend=pagekite.fmarier.org:10022 --service_on=raw/22:pagekite.fmarier.org:localhost:22:Password1 Client setup Finally, my colleague needed to add the folowing entry to ~/.ssh/config : Host pagekite.fmarier.org CheckHostIP no ProxyCommand /bin/nc -X connect -x %h:10022 %h %p and install the netcat-openbsd package since other versions of netcat don't work . On Fedora, we used netcat-openbsd-1.89 successfully, but this newer package may also work. He was then able to ssh into my laptop via ssh roc@pagekite.fmarier.org . Making settings permanent I was initially quite happy settings things up temporarily on the command-line, but it's also possible to persist these settings and to make both the pagekite frontend and backend start up automatically ) at boot. I ended up putting the following in /etc/pagekite.d/20_frontends.rc on my server: #defaults isfrontend rawports=virtual ports=10022 domain=raw:pagekite.fmarier.org:Password1 as well as removing the following lines from /etc/pagekite.d/10_account.rc : # Delete this line! abort_not_configured before restarting the pagekite daemon using: systemctl restart pagekite Using mosh and pagekite Mosh is a nice way to interface with ssh over high-latency netowrks. However, it's not possible to tunnel mosh directly through pagekited since pagekite only supports TCP . I ended up with a hybrid setup where I don't have to expose the ssh service to the local network (and therefore remember to disable it when I'm done) but I do have to open a UDP port on my firewall for mosh. First, I assigned a stable IP to my laptop on my router, based on its MAC address. I also had to disable MAC address spoofing in Network Manager (setting it to permanent). This is what my /etc/NetworkManager/system-connections/Ethernet automatique config looks like: [ethernet] cloned-mac-address=preserve [ipv4] method=auto [ipv6] addr-gen-mode=stable-privacy ip6-privacy=2 method=auto Then I forwarded port 9000 (UDP) traffic to the static IP address above. RSS Atom In similar situations, I just say "use IPv6". If a tunnel is needed, miredo is already in Debian, and trex.fi provides a reliable teredo server. Did you just tell the whole world how to attack your laptop? I have provided ssh access with SixXS tunnels, but the ssh connections seem to drop after a while. I've had other issues with the tunnels also, but I still use it to run a Bind9 hidden master. Recently I documented how to set up ssh through Tor with a stealth authentication cookie. I think it's easier than signing up for a tunnel provider, perhaps setting up a firewall etc... The latency of Tor can be a bit tedious for an interactive shell, but it works fine for our use cases. https://www.axs.org/tor/ssh_access_over_Tor.html Note if the https doesn't work, try http. I have been testing some things and have nginx running port 443 and Apache on port 80 and I may break TLS as I try out some things. Add a comment