On 26Aug2020 17:00, Jamie Fargen <jamie@xxxxxxxxxxxxxx> wrote:
>/etc/autossh/ipaddress-port
>OPTIONS=-i /path/to/private/key -M 10985 -o "PubkeyAuthentication=yes" -o
>"PasswordAuthentication=no" -o "StrictHostKeyChecking=no" -tt -R
>6667:localhost:22 root@xxxxxxxxxxxx
Just a general remark about remote ssh forwards. Unless you _know_ that
the machine you are exposing is itself very well secured, it is better
to use this form of the -R option:
-R 127.0.0.1:6667:localhost:22
That exposes the internal-machine ssh service only to localhost on the
target external-machine. Default, if sshd has GatewayPorts enabled, is
to expose it on "*" - allowing access (and therefore _attack_) on the
external interfaces of the external machine.
When I make this kind of arrangement I always tie the exposed service to
only the local interface, and access it via an ssh jump, eg ssh clause:
Host internal-machine
ProxyCommand ssh -W 127.0.0.1:6667 external-machine
That way the only people who can access the ssh service of
internal-machine are those already allowed access to external-machine,
rather than the entire internet.
Cheers,
Cameron Simpson <cs@xxxxxxxxxx>
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
