Firewall Wizards mailing list archives

Re: SSH through firewall

From: "Aaron D. Turner" <aturner () vicinity com>
Date: Tue, 6 Jul 1999 17:08:29 -0700 (PDT)


I've used sshd in a non-transparent firewall situation by using the
generic tcp proxy with fwtk.  Of course at this point, the firewall
isn't doing the authentication, the end-server is, but I can't figure
out a way to avoid that.  Anyways, it worked quite well.

-- 
Aaron Turner, CNE   aturner () vicinity com  650.237.0300 x252
Network/Security Engineer                 Vicinity Corp.        
Cell: 408-314-9874  Pager: 650-317-1821   http://www.vicinity.com

On Mon, 5 Jul 1999, Kevin T. Shivers wrote:

On Fri, 2 Jul 1999, Ginsberg Rainer (QI/INF4) * wrote:

Do you think this is feasible with a non-transparent firewall? Do you know 
a firewall that is capable of this?


Hmmm, this I am not sure about, but I think it may not work.  I will let
other people on this list who know more about this answer definitively,
but here's my shot.

Machines running sshd have an ssh host key associated with that specific
machine, so if your machine inside the firewall is connecting to the
firewall and then to the outside, ssh might go nuts with the ssh key.  If
ssh records the host key of the firewall for each host outside the
firewall, then siteb.com will look just like sitea.com and ssh will pop up
those nasty messages. If it records the external site's ssh key instead,
then everything will work.  At least, I think it will work.  I don't know
how well tunneling stuff like X will work, but I do know it does works
with on our transparent firewall.  I think someone has used ssh with
plug-gw on fwtk, and I know people are using it on Gauntlet (myself
included), but I don't know about any of the other firewalls.  I think
someone might have also made an ssh proxy for fwtk, but i'm not sure,
check fwtk.org for some info if you want.

Anyway, I hope this helped, and take this with a grain of salt.  I don't
want to get yelled at if it turns out I'm wrong. :)

Rainer


kts

--
Kevin T. Shivers                 NT & UNIX Systems Mutiliator
Shivers Consulting               http://www.clark.net/pub/kts
kts () clark net

Current thread:

SSH through firewall Ginsberg Rainer (QI/INF4) * (Jul 05)
- Re: SSH through firewall James Neal - HandiCAT (Jul 06)
- Re: SSH through firewall Kevin T. Shivers (Jul 06)
  - Re: SSH through firewall Aaron D. Turner (Jul 08)
- Re: SSH through firewall Kevin Steves (Jul 12)