0

We have an windows desktop application that connects to a 3rd party server with a socket connection. The 3rd-party server requires that we connect from a fixed public IP address. We need to connect from various IP addresses, so I setup a (Linux) server to tunnel the connections so that it looks to the 3rd-party server that all connections are coming from the same IP address all the time:

ssh -N -L port:127.0.0.1:port account@ip -p port2

The tunnel appears to be working fine; As a test, I can telnet to it from the account with which it was created.

To allow the windows machines (that run the application) to tunnel through, I added -g to the ssh command line. Now other machines can telnet through the tunnel as well. Everything works so far. However, I want to be able to restrict who can use the tunnel. When I telnet to the Linux server, I expected to be prompted for the username/login of the account that created the tunnel; instead, the connection is just created with no restriction. I don't want to use IP address filtering, since that is the reason I setup the Linux server in the first place (to allow any IP address). How can I get the Linux server to prompt for username/password when connecting to the tunnel from another machine? Would this be done with some additional or different command line options for ssh, or do I need to use something else?

I was expecting to run something like bitvise tunellier on the windows desktop machines. Thus, I would tell the windows desktop application to connect to a local port on the windows machine on which it runs. This local port would be tunneled to the Linux server by tunellier. The Linux server would in turn tunnel to the 3rd-party server.

Jimmy
  • 147
  • 2
  • 9
  • 1
    If youa re planning on using bitvise tunellier, I don't understand your problem. Just don't use the `-g` option, you don't need it. – Zoredache Jan 22 '14 at 18:28
  • Actually you are correct. I managed to confuse myself. Just using bitvise's ssh client (with a c2s port forwarding) with no -g when creating the ssh tunnel works fine. If you put that in an answer I will mark it as the answer. – Jimmy Jan 22 '14 at 21:33

1 Answers1

2

If you want to require authentication, then you should probably drop the -g option to make the tunnel available to the network. Then require everyone who needs access to the tunnel to the remote system establish a connection to your SSH server with a tunnel.

How can I get the Linux server to prompt for username/password when connecting to the tunnel from another machine?

There is nothing built into SSH that is going to automatically add an authentication step on-top of a telnet session. The simple solution as I suggested above is to only permit access to the tunnel if the user can authentication to the ssh server. You could get a similar result with a VPN between the clients and the SSH server.

I am not sure about the exactly nature of whatever this tunnel is providing, but you could setup an account on the SSH server. Then configure this account to automatically run telnet to connect to this tunneled connection.

So you might do something like create an account tunnelaccess then add something like this to your sshd_config. So whenever a user logs in as tunnelaccess the command to connect to the remote tunnel would immediately happen.

  Match User username
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand connect tunnel # replace with tool to connect to tunnel
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Please excuse my lack of knowledge: how would I set this up? I could setup another tunnel that forwards to the tunneling port, but then that new tunnel would need -g and then would not require authentication either...? – Jimmy Jan 22 '14 at 18:07
  • No each user that needs to access the tunnel would run putty or whatever from their personal machine to the SSH server. You would never use -g. The only way a user would be able to access the system, is if they user had credentials to authenticate to the SSH server. – Zoredache Jan 22 '14 at 18:09
  • Ah, sorry -- the telnetting was just for testing. The real purpose for this tunnel is for the app to establish a socket connection to the 3rd party server. Please see additional details I just added in the question. – Jimmy Jan 22 '14 at 18:21