On 26Aug2020 17:00, Jamie Fargen <[email protected]> wrote:
>/etc/autossh/ipaddress-port
>OPTIONS=-i /path/to/private/key -M 10985 -o "PubkeyAuthentication=yes" -o
>"PasswordAuthentication=no" -o "StrictHostKeyChecking=no" -tt -R
>6667:localhost:22 [email protected]
Just a general remark about remote ssh forwards. Unless you _know_ that
the machine you are exposing is itself very well secured, it is better
to use this form of the -R option:
-R 127.0.0.1:6667:localhost:22
That exposes the internal-machine ssh service only to localhost on the
target external-machine. Default, if sshd has GatewayPorts enabled, is
to expose it on "*" - allowing access (and therefore _attack_) on the
external interfaces of the external machine.
When I make this kind of arrangement I always tie the exposed service to
only the local interface, and access it via an ssh jump, eg ssh clause:
Host internal-machine
ProxyCommand ssh -W 127.0.0.1:6667 external-machine
That way the only people who can access the ssh service of
internal-machine are those already allowed access to external-machine,
rather than the entire internet.
Cheers,
Cameron Simpson <[email protected]>
_______________________________________________
users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
