In order to investigate a bug I was running into, I recently had to give my colleague ssh access to my laptop behind a firewall. The easiest way I found to do this was to create an account for him on my laptop, and setup a pagekite frontend on my personal server and a pagekite backend on my laptop.
Frontend setup
Setting up my server in order to make the ssh service accessible and proxy the traffic to my laptop was fairly straightforward.
First, I had to install the
pagekite package (already in
Debian and Ubuntu) and open up a port on my firewall by adding the following
to both /etc/network/iptables.up.rules
and
/etc/network/ip6tables.up.rules
:
-A INPUT -p tcp --dport 10022 -j ACCEPT
Then I created a new CNAME
for my server in DNS:
pagekite.fmarier.org. 3600 IN CNAME fmarier.org.
With that in place, I started the pagekite frontend using this command:
pagekite --clean --isfrontend --rawports=virtual --ports=10022 --domain=raw:pagekite.fmarier.org:Password1
Backend setup
After installing the pagekite and openssh-server packages on my laptop and creating a new user account:
adduser roc
I used this command to connect my laptop to the pagekite frontend:
pagekite --clean --frontend=pagekite.fmarier.org:10022 --service_on=raw/22:pagekite.fmarier.org:localhost:22:Password1
Client setup
Finally, my colleague needed to add the folowing entry to ~/.ssh/config
:
Host pagekite.fmarier.org
CheckHostIP no
ProxyCommand /bin/nc -X connect -x %h:10022 %h %p
and install the netcat-openbsd package since other versions of netcat don't work.
On Fedora, we used netcat-openbsd-1.89 successfully, but this newer package may also work.
He was then able to ssh into my laptop via ssh [email protected]
.
Making settings permanent
I was initially quite happy settings things up temporarily on the command-line, but it's also possible to persist these settings and to make both the pagekite frontend and backend start up automatically) at boot.
I ended up putting the following in /etc/pagekite.d/20_frontends.rc
on my
server:
#defaults
isfrontend
rawports=virtual
ports=10022
domain=raw:pagekite.fmarier.org:Password1
as well as removing the following lines from /etc/pagekite.d/10_account.rc
:
# Delete this line!
abort_not_configured
before restarting the pagekite daemon using:
systemctl restart pagekite
Using mosh and pagekite
Mosh is a nice way to interface with ssh over high-latency netowrks. However, it's not possible to tunnel mosh directly through pagekited since pagekite only supports TCP.
I ended up with a hybrid setup where I don't have to expose the ssh service to the local network (and therefore remember to disable it when I'm done) but I do have to open a UDP port on my firewall for mosh.
First, I assigned a stable IP to my laptop on my router, based on its MAC address. I also had to disable MAC address spoofing in Network Manager (setting it to permanent).
This is what my /etc/NetworkManager/system-connections/Ethernet automatique
config looks like:
[ethernet]
cloned-mac-address=preserve
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
ip6-privacy=2
method=auto
Then I forwarded port 9000 (UDP) traffic to the static IP address above.
Did you just tell the whole world how to attack your laptop?
I have provided ssh access with SixXS tunnels, but the ssh connections seem to drop after a while. I've had other issues with the tunnels also, but I still use it to run a Bind9 hidden master.
Recently I documented how to set up ssh through Tor with a stealth authentication cookie. I think it's easier than signing up for a tunnel provider, perhaps setting up a firewall etc... The latency of Tor can be a bit tedious for an interactive shell, but it works fine for our use cases.
https://www.axs.org/tor/ssh_access_over_Tor.html
Note if the https doesn't work, try http. I have been testing some things and have nginx running port 443 and Apache on port 80 and I may break TLS as I try out some things.