designetwork(EN)

IT technical memo of networking

Build SSH R-Proxy with SSH Piper w/Docker

f:id:daichi703n:20180430124255p:plain

In an environment where SSH access to the server is restricted by a firewall or the like, SSH Proxy access to the backend server is established by SSH R-Proxy server (Docker container), not a step-by-step server.

There is also a method to make SSH connection via HTTP Proxy, but this time we do not use HTTP Proxy but use simple SSH R-Proxy.

SSH Piper

In this article, use this SSH Piper as SSH Proxy.

github.com

From README

Here, we assume SSH sorting on a user name basis to each personal server (container).

+---------+                      +------------------+          +-----------------+
|         |                      |                  |          |                 |
|   Bob   +----ssh -l bob----+   |   SSH Piper   +------------->   Bob' machine  |
|         |                  |   |               |  |          |                 |
+---------+                  |   |               |  |          +-----------------+
                             +---> pipe-by-name--+  |                             
+---------+                  |   |               |  |          +-----------------+
|         |                  |   |               |  |          |                 |
|  Alice  +----ssh -l alice--+   |               +------------->  Alice' machine |
|         |                      |                  |          |                 |
+---------+                      +------------------+          +-----------------+


 Downstream                         SSH Piper                       Upstream               

What we expect is an operation like HTTP reverse proxy, but in SSH it can not be routed in the host header like HTTP, so it will behave like a reverse proxy with login user name.

Build SSH Piper with Docker

SSH Piper is provided as a Docker Image. This makes it possible to skip the execution environment setting of Go language and so on.

Directory / File tree

$ sudo tree -pug
.
├── [-rw-r--r-- root     root    ]  README.md
├── [drwxr-xr-x root     root    ]  config
│   └── [drwxr-xr-x root     root    ]  sshpiper
│       ├── [drwx------ root     root    ]  asa
│       │   └── [-rw------- root     root    ]  sshpiper_upstream
│       └── [drwx------ root     root    ]  centos7
│           └── [-rw------- root     root    ]  sshpiper_upstream
└── [-rw-r--r-- root     root    ]  docker-compose.yml

docker-compose.yml looks like this.

$ cat ./docker-compose.yml
version: '2'

#https://github.com/tg123/sshpiper
services:

  external:
    image: farmer1992/sshpiperd
    container_name: sshpiper
    ports:
      - "2222:2222"
    volumes:
      - /etc/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key:ro
      - ./config/sshpiper:/var/sshpiper

As you can see in detail, you need to be careful with Config Permission . The Config file is 700/600.

$ sudo chmod 700 config/sshpiper/asa
$ sudo chmod 600 ./config/sshpiper/asa/sshpiper_upstream
$ sudo ls -la ./config/sshpiper/asa/
合計 4
drwx------. 2 root root 31  4月 30 10:57 .
drwxr-xr-x. 4 root root 28  4月 30 10:56 ..
-rw-------. 1 root root 36  4月 30 10:57 sshpiper_upstream

$ sudo cat ./config/sshpiper/asa/sshpiper_upstream
# Cisco ASA5505
dev@192.168.1.5:22

SSH Proxy operation confirmation

Activate SSH Piper 's Docker container and check its operation.

$ docker-compose up

<Another Terminal>
$ ssh 192.168.1.76 -p 2222 -l asa
asa@192.168.1.76's password:
Type help or '?' for a list of available commands.
ASA5505>

$ ssh 192.168.1.76 -p 2222 -l centos7
centos7@192.168.1.76's password:
[dev@CentOS7-01 ~]$

Although the above is a log from Linux, SSH access is possible from TeraTerm and other terminals as well. At the password input prompt, SSH Piper's display is displayed, but if the connection succeeds, you can connect to the upstream server (NW device).

The access log of SSH Piper is as follows. The user name and upstream (back end) server are mapped.

sshpiper    | 2018/04/30 02:03:09 sshpiperd started
sshpiper    | 2018/04/30 02:03:10 connection accepted: 192.168.1.111:60508
sshpiper    | 2018/04/30 02:03:10 mapping user [asa] to [dev@192.168.1.5:22]

Unusable if Permission is incorrect

Permission in the sshpiper_upstream file needs to be restricted like.ssh. If Permission is inappropriate, SSH connection fails with perm is too open error as in the following log.

$ sudo docker-compose up
Creating network "sshpiper_default" with the default driver
Creating sshpiper ...
Creating sshpiper ... done
Attaching to sshpiper
sshpiper    | sshpiperd by Boshi Lian<farmer1992@gmail.com>
sshpiper    | https://github.com/tg123/sshpiper
sshpiper    |
<snip>
sshpiper    | 2018/04/30 01:59:23 sshpiperd started
sshpiper    | 2018/04/30 01:59:25 connection accepted: 192.168.1.111:60436
sshpiper    | 2018/04/30 01:59:25 connection from 192.168.1.111:60436 establishing failed reason: /var/sshpiper/asa/sshpiper_upstream's perm is too open

TODO

  • Access control to SSH Piper User control
  • Login with SSH secret key (non-password authentication)
  • Access log management
  • etc.

Conclusion - Build SSH R-Proxy with SSH Piper w/Docker

I was able to build SSH Proxy with SSH Piper. Although the access control related verification is still necessary, it can be used as a simple SSH Proxy, so it is considered very useful for avoiding various restrictions such as Firewall.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork