At 16:48 28/09/01 +0100, you wrote: >I want to try and use ssh to get access to the LAN rather than >the crappy NAI VPN software that our laptop users use. >I do not know much about ssh yet, except I have ssh installed >on a a server and have set up my passphrase. >Has anyone set up a firewall (gauntlet in my case)to allow ssh >to pass? >Is then general idea to config the firewall as follows: > >-set up plug proxy running on the outside address of the firewall > on say port 998 which will forward to the internal ssh server on > port 22. >- connect from client using ssh -l login -P ip-of-firewall
I don't know much about firewalls and I know nothing about gauntlet, but I've used SSH quite a bit. Let's assume you can set the firewall to map ip1:port1 on the external network to ip2:port2 on the internal network, then you should set up the SSH server to listen on ip2:port2 on the internal network. Setting up the server will be easier if port2==22. Then set up the client to access ip1:port1, for example with openssh on Linux "ssh -l username -p port1 ip1". You now are logged into the SSH server. By default if you now run any X apps on the server they will appear on your clients X Server, this behaviour can be disabled with the "-x" switch. If you need to access machines on the internal network then you can set up a secure tunnel by doing "ssh -l server_username -L localport:host:remoteport -p port1 ip1" This will map port localport on the client to remoteport on host, via the ssh server on ip1:port1. One thing to remember is that host is from the perspective of the ssh server so if you want to telnet into the ssh server, via ssh (I don't know why you'd want to) then you would type: "ssh -l server_username -L 1234:localhost:23 -p port1 ip1" Then you would be prompted for the password to the server_username on the ssh server and a command line on the ssh server will be brought up. Now you can switch to a different terminal and telnet to localhost:1234 on the client and you will brought to the login prompt for the telnet server on the box with the ssh server on it. A more realistic use would be if you wanted to telnet into a machine without ssh access then you would use "ssh -l server_username -L 1234:host:23 -p port1 ip1". Now if you telnet to localhost:1234 on the client you will be connected to the telnet server on host. In this case remeber that the connection from the client to ssh server is encrypted, but the connection from the ssh server to host is totally insecure. Hope this helps, Steven Murdoch. -- email: [EMAIL PROTECTED] web: http://www.murdomedia.net/ PGP/GnuPG keys: http://www.murdomedia.net/keys.html -------------------------------------------------------------------- http://www.lug.org.uk http://www.linuxportal.co.uk http://www.linuxjob.co.uk http://www.linuxshop.co.uk --------------------------------------------------------------------
