The Old Joel on Software Forum: Part 3 (of 5)

firewall and ssh

Is there such a beast as an ssh proxy ?

I have more than one box set up behind a firewall. I routinely ssh into them, from outside the firewall, but have to specify a different port number depending on which box i want to ssh to. Its setup in iptables to divert to the correct box depending on the port.

To make it easier to use things such as cvs i'd like to setup a ssh proxy listening on the one standard port and divert ssh to the other boxes as required. Is there such a beast ? And is this bad practice ? should i just be ssh'ing to the firewall first ?

stan
Tuesday, November 18, 2003

wouldn't a compromised firewall then allow them to monitor your passwords to all the boxes behind it?

when using SSH, transfer the server's key in a secure manner, and cache it. If it changes, mitm attack!?

I always run SSH on some random high port; there is some security in obscurity, after all ;-) Other things I do is like set it to only accept connections from the ips I will hit it from, and have a very small connection count.

Different ports seems a good way to determine which box you want.

i like i
Tuesday, November 18, 2003

If you set up your .ssh/config properly, you can set an alias for each host behind the firewall and specifiy the port. Then you'll only need to type 'ssh alias' and it'll do the right thing. See

http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current

for details

MMR
Tuesday, November 18, 2003

trying again...
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config

MMR
Tuesday, November 18, 2003

There are SSH proxies, but for the most part, they don't do terribly much other than port and server redirection.

SG
Tuesday, November 18, 2003