On Fri, May 29, 2009 at 3:09 PM, Steven S. Critchfield <[email protected]>wrote:
> > As I put more virtual machines behind proxies and such, it became evident > that my normal solution of ssh-ing into a gateway machine and hopping from > there to the machines inside starts to lose it's charm when I want to allow > some other people to get in as well. I was searching for a solution like a > proxy for websites. I found it and it was kind of more than I was expecting. > > What I found was sshproxy. I get to create users as data in the config > files and they don't have direct access to the machine doing the proxy work. > Plus, the accounts that are accessible inside the proxy are all configurable > as well. Then you get to set rules on which logins can access which accounts > and when or how. > > Part of what really started making me think how cool this is relates to how > we have had to manage passwords at Base Systems. We would add peoples > accounts to various machines, and then tell them the root passwords. With > sshproxy, you can make strong user unfriendly passwords on the machine as > they only need to be shared to the proxy. Then you can grant permissions to > the various users to each of your internal machines, and to the accounts on > them. When they leave the company, it is easy enough to remove the > authorization from the proxy of a login. Since no one necessarily knew the > passwords on the inside of the network, it means you don't have to worry too > much about being compromised by a disgruntled former user. > > Right now, sshproxy supports ini style config files and mysql backed > configs. Both should offer easy backup solutions. > > Seems it is mildly annoying to use from putty, and from a standard ssh > client it isn't too bad. Documentation on some things is very sparse. But it > is pluggable and written in python. So it isn't too hard for someone to just > jump in and try and read the code to better understanding of the docs. > > This is VERY intriguing. The reasoning behind it is also very valid. Not only with the virtual machines (which is my home setup, with only one public ip) but even as a somewhat secure gateway into your network from the outside. Only one machine is truly open to the outside and therefore it is only one taking the beating, yet when you log in, it seems like the other machines are on the outside. I will definitely be checking this out on my network when i get home. Thanks for sharing! Evan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -~----------~----~----~----~------~----~------~--~---
