[svlug] ppp over ssh anyone?
Sun Apr 15 17:03:01 PDT 2001
On Fri, Apr 13, 2001 at 10:07:55AM -0700, Roland Krause wrote:
> I have a related question:
> Is it possible to initiate a connection from inside the corp. network
> ("at work") via ssh to a trusted host "at home" and then leave it open
> so that from "home" i can reconnect to "work"?
> Assume that "work" is a Unix box, behind a firewall w/ NAT, which
> allows ssh traffic an "home" is a Linux box on DSL.
Sure. One little issue is that I've found SSH connections tend to crap out
after a while, especially if the connection is completely inactive. I think
OpenSSH has some option to not timeout connections, but I've been using a mixed
classic SSH 1.x plus OpenSSH environment (i.e. one at home, the other at work),
and it's been an issue.
I partly solved it by having the outgoing SSH command from work run a trivial
app that just prints "hi" every ten minutes or so (if you do it, make sure your
program doesn't line buffer the output--or else you need to print a line break,
too). That helped somewhat, but I would still get disconnects periodically.
So I wrote a daemon program that takes another program (like SSH) and runs it
automatically in the background, restarting it if it ever crashes. That's
worked pretty well--it's like I have a permanent wormhole to my office's SSH
server from my desktop at home. I wind up doing double encryption, since I
tunnel over the permanent SSH connection to get to my SSH server on my work box,
but what the hell.
One wrinkle is that in order to make the daemon program able to run SSH
correctly, you have to make sure that SSH isn't going to ask for a password. I
tried getting that to work via the .shosts and known_hosts files, but NAT seems
to confuse SSH too much for it to work. But running ssh-keygen and making an
identity file with no password does work just fine, once you stick the key in
the target machines authorized_hosts file. A wee bit scary to not have a
password on the identity file, but someone would still need to break into my
(firewall protected) machines to compromise anything.
By the way, after I finally got all that working, I discovered that there is now
a working PPTP for Linux (search for it on Sourceforge), so if your company
allows PPTP access, that's a simpler alternative (and less likely to get you in
trouble with rule-oriented personality types).
More information about the svlug