How to secure a reverse ssh tunnel?
I have a OpenBSD box (as a router firewall to my internal net in a network that is not mine) behind another firewalls etc. that I need ssh access to. I can't ssh to it, other people can modify firewalls rules etc. that block a direct ssh access. So I thinking of a reverse ssh tunnel to one of my FreeBSD box on internet.
[my network with servers] -> [my OpenBSD FW] -> (not my network) -> (not mine FW) -> INTERNET <- [my firewall] <- [FreeBSD box]
I made a local account on the FreeBSD machine with /bin/sh and the reverse tunnel working with: ssh -R 12345:localhost:22 user@ip-adress-to-freebsd -p 12345
But I don't want any ssh access from OpenBSD (just in case) to the FreeBSD machine. Tried /sbin/nologin and /bin/false, but no access with the tunnel.
Is there any way to secure a reverse ssh tunnel with "a no ssh shell" like thing on the FreeBSD box?
On OpenBSD you have authpf that work, but on FreeBSD?
This blocks forwarding tunnels (in sshd_config), as make this a title more secure. But still, you have shell.
GatewayPorts no
AllowTcpForwarding remote
And, if the connection is doping, I need that the tunnel should reconnect to the FreeBSD box. Is there any good alternative? Need a 24/7 link (or access to the OpenBSD machine via FreeBSD servern).
autossh... script that check the connections and run ssh again....?
Other suggestions on a ssh access to the OpenBSD box?
//Hilda
I have a OpenBSD box (as a router firewall to my internal net in a network that is not mine) behind another firewalls etc. that I need ssh access to. I can't ssh to it, other people can modify firewalls rules etc. that block a direct ssh access. So I thinking of a reverse ssh tunnel to one of my FreeBSD box on internet.
[my network with servers] -> [my OpenBSD FW] -> (not my network) -> (not mine FW) -> INTERNET <- [my firewall] <- [FreeBSD box]
I made a local account on the FreeBSD machine with /bin/sh and the reverse tunnel working with: ssh -R 12345:localhost:22 user@ip-adress-to-freebsd -p 12345
But I don't want any ssh access from OpenBSD (just in case) to the FreeBSD machine. Tried /sbin/nologin and /bin/false, but no access with the tunnel.
Is there any way to secure a reverse ssh tunnel with "a no ssh shell" like thing on the FreeBSD box?
On OpenBSD you have authpf that work, but on FreeBSD?
This blocks forwarding tunnels (in sshd_config), as make this a title more secure. But still, you have shell.
GatewayPorts no
AllowTcpForwarding remote
And, if the connection is doping, I need that the tunnel should reconnect to the FreeBSD box. Is there any good alternative? Need a 24/7 link (or access to the OpenBSD machine via FreeBSD servern).
autossh... script that check the connections and run ssh again....?
Other suggestions on a ssh access to the OpenBSD box?
//Hilda