Re: SSH to a box behind NAT

2003-03-10 Thread Ryan Thompson 

James Long wrote to Ryan Thompson:

> Then I'd suggest creating a ppp-over-ssh tunnel ala Greg Bond's
>
> http://www.itga.com.au/~gnb/vpn/
>
> Have (Server) initiate the tunnel, and let the other end of the
> tunnel terminate at (Manager).  You can then use the tunnel to
> effectively bypass the NT NAT box.

Now *that* is an excellent solution. Thanks!

- Ryan

-- 
  Ryan Thompson <[EMAIL PROTECTED]>

  SaskNow Technologies - http://www.sasknow.com
  901-1st Avenue North - Saskatoon, SK - S7K 1Y4

Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
  Toll-Free: 877-727-5669 (877-SASKNOW) North America


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: SSH to a box behind NAT

2003-03-10 Thread James Long 
On Mon, Mar 10, 2003 at 11:32:00PM -0600, Ryan Thompson wrote:
> 
> (So, it is not possible, for instance, to set up port based NAT for
> inbound SSH, which is one of two things I'd normally do). The server
> can, however, initiate arbitrary outbound connections.

Then I'd suggest creating a ppp-over-ssh tunnel ala Greg Bond's

http://www.itga.com.au/~gnb/vpn/

Have (Server) initiate the tunnel, and let the other end of the tunnel
terminate at (Manager).  You can then use the tunnel to effectively bypass 
the NT NAT box.

><--- NAT --->
> [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ]
> 192.168.0.2192.168.0.1 207.1.1.1
>  24.1.1.1
  tun0   tun0
  172.16.16.1 <> 172.16.16.2

Once the tunnel comes up, (Manager) should be able to ssh at will 
into 172.16.16.1 interactively.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: SSH to a box behind NAT

2003-03-10 Thread Ryan Thompson 
Nathan Kinkade wrote to Ryan Thompson:

> > Unfortunately, that idea has, so far, been the *last* thing to
> > come to mind. Any *other* ideas? :-)
> >
> > Thanks, - Ryan
>
> Could you have Server start an xterm, or similar, and have it send
> the display to Manager - with something like 'xterm -display
> Manager:0' from Server?  This is assuming that you are running X on
> Manager.

That's a reasonable idea. Thanks.

Neither Manager nor Server have X installed (and, typically, Manager
itself is accessed remotely, too), but I suppose that isn't out of the
question.

Once it's deployed, Server will be a thousand kilometers away from
here in a locked office, sans head, sans in-house IT. Remote
managability is therefore somewhat of a necessity. :-)

- Ryan

-- 
  Ryan Thompson <[EMAIL PROTECTED]>

  SaskNow Technologies - http://www.sasknow.com
  901-1st Avenue North - Saskatoon, SK - S7K 1Y4

Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
  Toll-Free: 877-727-5669 (877-SASKNOW) North America




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: SSH to a box behind NAT

2003-03-10 Thread Nathan Kinkade 
On Mon, Mar 10, 2003 at 11:32:00PM -0600, Ryan Thompson wrote:
> 
> Hi all,
> 
> I have a FreeBSD server behind NAT (on an RFC1918 address). The NAT
> machine is actually an NT box on a network we don't have access to.
> (So, it is not possible, for instance, to set up port based NAT for
> inbound SSH, which is one of two things I'd normally do). The server
> can, however, initiate arbitrary outbound connections.
> 
> So, I'm fishing for a tech workaround to this management problem. :-)
> 
> I need to be able to have an interactive SSH session on the server
> (Server) from another host (Manager) on the Internet (for remote
> management). That is, I need to connect to Server to do remote
> management.
> 
><--- NAT --->
> [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ]
> 192.168.0.2192.168.0.1 207.1.1.1
>  24.1.1.1
> 
> Manager is a highly available FreeBSD server (i.e., static public IP).
> 
> The first thing that comes to mind is some kind of "pull" technique to
> have *Server* initiate the connection. Server already initiates cron'd
> SSH connections to Manager to do automated backup/rsync tasks, but I
> can't think of a way to actually start an interactive login in that
> manner.
> 
> So far the best I've come up with is to configure a secure known path
> on Manager for batch scripts (so, not really interactive, but close
> enough for 90% of tasks) and have Server simply attempt to scp (pull)
> the file at regular intervals, and execute its contents. Server can
> capture the output and scp (push) that back to Manager. Manager never
> actually initiates anything. Obviously, this will be a leading cause
> of ass pain in troubleshooting scenarios, and will be a *real* pain
> for anything that actually requires an interactive session.
> 
> Unfortunately, that idea has, so far, been the *last* thing to come to
> mind. Any *other* ideas? :-)
> 
> Thanks,
> - Ryan

Could you have Server start an xterm, or similar, and have it send the
display to Manager - with something like 'xterm -display Manager:0' from
Server?  This is assuming that you are running X on Manager.

Nathan

-- 
GPG Public Key ID: 0x4250A04C
gpg --keyserver pgp.mit.edu --recv-keys 4250A04C
http://63.105.21.156/gpg_nkinkade_4250A04C.asc


pgp0.pgp
Description: PGP signature

SSH to a box behind NAT

2003-03-10 Thread Ryan Thompson 

Hi all,

I have a FreeBSD server behind NAT (on an RFC1918 address). The NAT
machine is actually an NT box on a network we don't have access to.
(So, it is not possible, for instance, to set up port based NAT for
inbound SSH, which is one of two things I'd normally do). The server
can, however, initiate arbitrary outbound connections.

So, I'm fishing for a tech workaround to this management problem. :-)

I need to be able to have an interactive SSH session on the server
(Server) from another host (Manager) on the Internet (for remote
management). That is, I need to connect to Server to do remote
management.

   <--- NAT --->
[ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ]
192.168.0.2192.168.0.1 207.1.1.1
 24.1.1.1

Manager is a highly available FreeBSD server (i.e., static public IP).

The first thing that comes to mind is some kind of "pull" technique to
have *Server* initiate the connection. Server already initiates cron'd
SSH connections to Manager to do automated backup/rsync tasks, but I
can't think of a way to actually start an interactive login in that
manner.

So far the best I've come up with is to configure a secure known path
on Manager for batch scripts (so, not really interactive, but close
enough for 90% of tasks) and have Server simply attempt to scp (pull)
the file at regular intervals, and execute its contents. Server can
capture the output and scp (push) that back to Manager. Manager never
actually initiates anything. Obviously, this will be a leading cause
of ass pain in troubleshooting scenarios, and will be a *real* pain
for anything that actually requires an interactive session.

Unfortunately, that idea has, so far, been the *last* thing to come to
mind. Any *other* ideas? :-)

Thanks,
- Ryan

-- 
  Ryan Thompson <[EMAIL PROTECTED]>

  SaskNow Technologies - http://www.sasknow.com
  901-1st Avenue North - Saskatoon, SK - S7K 1Y4

Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
  Toll-Free: 877-727-5669 (877-SASKNOW) North America



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message