[nylug-talk] replacing SSH gateway?

[Chris Knadle]

On Wednesday 05 September 2007, C Thala wrote:
> We have a couple of machines we set up for various developers to use:
>
>     pub0
>     int0
>     int1
>     int2
>     ...
>
> The int* machines are all on an internal (10/8) network for security
> reasons. Because of this we have a publicly accessible that these devs
> ssh into pub0 first before they ssh into the int* machines.

   Yep.  I consider this to be a normal-ish thing.

> The issue we have is this...every single developer who needs to access
> an internal machine now has an SSH account on pub0. This is not really a
> big deal, all the developers are company employees and we trust them,
> but we really don't want to give out login accounts on a machine that
> exists only to make the internal machines accessible.
>
> What is a better solution?
>
>     1. Set up some sort of VPN -- keep in mind though that the setup we
>        currently have is OS-agnostic, devs ssh in from their Linux or
>        Windows or MacOS boxes without any problems. So any potential VPN
>        solution should be just as portable and easy to use.

   Not thrilling, as there are several simultaneous issues to deal with there.

>     2. Keep the SSH gateway setup as is
>
>     3. ?

   I likewise keep running into this type of problem and have been trying to 
think about some way of doing an ssh-tunnel-to-ssh connection.  I.E. the 
first ssh connection sets up a tunnel forwarding a port, and then creating 
another ssh connection over that port to the desired destination box.  [This 
type of connection is a standard way of tunneling nonencrypted protocols like 
SMB over ssh, so I don't see why it couldn't also be used for ssh.]

   Likewise this same tunnleing mechanism could be used for exposing other 
services on those internal development boxes.

   -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us