Is it possible to proxyjump into the tailscale network from outside the network, such as from the local library or university computer? Something like:
ssh -J user#bastion user#tailscale-ip
Or:
ssh -A -t user#bastion ssh -A -t user#tailscale-ip
Related
I can't get connection chain with ssh one liner to work.
Chain:
My PC -> jumphost -> Bastion -> my app X host(sharing subnet with Bastion)
-Jumphost expect private key A
-Bastion and X host both expect private key B
my pc> ssh -i /path_to_priv_key_for_X/id_rsa -o StrictHostKeyChecking=no -o
"ProxyCommand ssh -p 22 -W %h:%p -o \"ProxyCommand ssh -p 24 -W %h:%p
-i /path_to_key_jump/id_rsa jumphostuser#jumphostdomain\" -i
/path_to_bastion_key/id_rsa bastionuser#ip_to_bastion" myappuser#subnet_ip
Above does not work, but
ssh -i /path_to_bastion_key/id_rsa -o "ProxyCommand ssh -p 24 -W
%h:%p -i /path_to_key_jump/id_rsa jumphostuser#jumphostdomain"
bastionuser#ip_to_bastion
works, so I can access bastion with one liner, but adding app x host in the command chain does not work, wonder why?
I can step by step manually access the myapp X host like this
mypc> ssh -p 24 -i path_to_key_jump/id_rsa jumphostuser#jumphostdomain
jumphost> ssh -i /path_to_bastion_key/id_rsa bastionuser#ip_to_bastion
bastion> ssh myappuser#subnet_ip
myapp>
How to make in command line two hops over two jump hosts both requiring different key without ssh config?
Something which is working for me surprisingly well is ssh with -J option:
-J destination
Connect to the target host by first making a ssh connection
to the jump host described by destination and then establishing a TCP
forwarding to the ultimate destination from there.
In fact, I's about its feature which I was not aware of for very long time:
Multiple jump hops may be specified separated by comma characters.
So multi-hop like PC -> jump server 1 -> jump server 2 -> target server (in my example: PC -> vpn -> vnc -> ece server can be done with one combo:
$ ssh -J vpn,scs694#tr200vnc rms#tr001tbece11
Of course, most handy is to have ssh keys to open pwd-less connections (PC->vpn and vpn -> vnc and vnc -> target.
I hope it will help,
Jarek
To add to the above. My use-case was a triple-hop to a database server, which looked like Server 1 (Basic Auth) --> Server 2 (Token) --> Server 3 (Basic Auth) --> DB Server (Port Forward).
After quite a few hours of turmoil, the solution was:
ssh -v -4 -J username#server1,username#server2 -N username#Server3 -L 1122:dbserver:{the_database_port_number}
Then I was able to just have the DB client hit localhost:1122 where 1122 can be any free port number on your localhost.
I want to debug another machine on my network but have to pass through one or more SSH tunnels to get there.
Currently:
# SSH into one machine
ssh -p 22 me#some_ip -i ~/.ssh/00_id_rsa
# From there, SSH into the target machine
# Note that this private key lives on this machine
ssh -p 1234 root#another_ip -i ~/.ssh/01_id_rsa
# Capture debug traffic on the target machine
tcpdump -n -i eth0 -vvv -s 0 -XX -w tcpdump.pcap
But then it's a pain to successively copy that .pcap out. Is there a way to write the pcap directly to my local machine, where I have wireshark installed?
You should use ProxyCommand to chain ssh hosts and to pipe output of tcpdump directly into wireshark. To achieve that you should create the following ssh config file:
Host some_ip
IdentityFile ~/.ssh/00_id_rsa
Host another_ip
Port 1234
ProxyCommand ssh -o 'ForwardAgent yes' some_ip 'ssh-add ~/.ssh/01_id_rsa && nc %h %p'
I tested this with full paths, so be carefull with ~
To see the live capture you should use something like
ssh another_ip "tcpdump -s0 -U -n -w - -i eth0 'not port 1234'" | wireshark -k -i -
If you want to just dump pcap localy, you can redirect stdout to filename of your choice.
ssh another_ip "tcpdump -n -i eth0 -vvv -s 0 -XX -w -" > tcpdump.pcap
See also:
https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b
https://serverfault.com/questions/503162/locally-examine-network-traffic-of-remote-machine/503380#503380
How can I have tcpdump write to file and standard output the appropriate data?
I have database server on AWS and from my PC i have to access that database using ssh tunneling for below scenario.
PC --> Jump1 [x.pem, port:22] --> Jump2 [y.pem, port:443] --> mysqldb:3306
For this kind of scenarios, Config File is the best way to do it.
Run
$ touch ~/.ssh/config
Add host entries in a config file.
Host <Host_Name>
HostName <URL/IP of Jump2>
User <>
Port <>
Identityfile <yyy.pem>
StrictHostKeyChecking no
ProxyCommand ssh -i <xxx.pem> <user>#<IP/DNS of Jump1> nc %h %p 2> /dev/null
and then to create a tunnel
$ ssh <local_port>:DB_URL:<DB PORT> <Host_name>
that's it.
Now you can connect to DB using
localhost:<local_port>
If you already have your public keys in authorized_keys on respective hosts
then you can use -J directive.
like this:
ssh -J user1#host1 user2#host2
If you have more than one jump host you can concatenate it inside of -J directive like this:
ssh -J user1#host1,user2#host2,user(n-1)#host(n-1) userN#hostN
I also using port forwarding so it takes your port data all the way to the last site and then connect to specific site like this:
ssh -L 8080:microsoft.com:80 -J user1#host1 user2#host2
It will create unencrypted connection only from host2 to microsoft.com:80
I am fond of mosh but I have problem connecting via two-level ssh. Consider this scenario:
host machine running FreeBSD which has closed all ports from outside
first jail having ssh port 2222 open from the outside is on public IP let's say door.example.com
second jail with private IP address named DEV.example.com that can be ssh-ed from door.example.com on port 2222 as well
redirection is set up to forward udp port 60000 from door.example.com to DEV.example.com
There is generaly some problem with ttys and jails, but I am able to connect this way:
ssh -t -t -p2222 door.example.com -- ssh -p2222 DEV.example.com
being asked for both password to door.example.com and DEV.example.com afterwards.
I have tried this mosh command (also tried all variations with and without -t -t params):
mosh --port 60000 \
--ssh "ssh -t -t -p2222" \
--server "ssh -t -t -p2222 DEV.example.com mosh-server" \
door.example.com
but I always get hanging on password authentication to the second jail with no password prompt.
Funny thing is that from android mosh-flavored irssi connect bot this works when I set up mosh port to 60000 and as mosh server I fill in ssh -t -t -p2222 DEV.example.com mosh-server
I know there are ways to set-up ssh proxy but I don't want to have things like netcat on the door jail. This should work somehow especially because it already works from my phone.
Is there a reason the mosh-server needs to be at the end point (dev) rather than at the entry (door)?
I use something like:
mosh --port 60000 \
--ssh "ssh -t -t -p2222" \
-- door.example.com ssh -t -t -p2222 dev.example.com
For my setup at home.
FWIW, I use something like this for irssi:
mosh --ssh="ssh -p2222" \
-- user#dmz.example.com ssh -q -t user#irssi.example.com \
screen -c /home/user/.screen.irc -UxaA irc
Both my servers are FreeBSD and clients are either MacBook Air or a laptop running Ubuntu. I had gone with a dmz host with host based firewall, to overcome the limited forwards available on my current router.
i have trouble setting up a JMeter client to connect to a remote JMeter server over an intermediate jumphost.
Especially which ports need to be open and forwarded to which host and how to configure JMeter for that. Apparently there are some blog posts about similar setups but neither describes the ports in detail nor do the connect over an external host (all use localhost?).
The setups is:
JMeter GUI(client) <-> Jumphost <-> JMeter Server
I need to setup one or more SSH Tunnels on the Jumphost and tell the Client and server to connect to this host.
Help will be much appreciated!
http://rolfje.wordpress.com/2012/02/16/distributed-jmeter-through-vpn-and-ssl/
Here I see ports in the article:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1099 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1099 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 50000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 50000 -j ACCEPT
Tried with Java 8
1. Client - modify jmeter.properties file adding:
remote_hosts=127.0.0.1:55511
client.rmi.localport=55512
2. Server - modify jmeter.properties file adding:
server_port=55511
server.rmi.localhostname=127.0.0.1
server.rmi.localport=55511
3. Connect to the server using:
Linux and Mac users
ssh solr#server -L 55511:127.0.0.1:55511 -R 55512:127.0.0.1:55512
Windows users
putty.exe -ssh user#server -L 55511:127.0.0.1:55511 -R 55512:127.0.0.1:55512
4. Server - start jmeter
cd apache-jmeter-2.13/bin/
./jmeter-server -Djava.rmi.server.hostname=127.0.0.1
5. Client - start jmeter
cd apache-jmeter-2.13/bin/
./jmeter.sh -Djava.rmi.server.hostname=127.0.0.1 -t test.jmx