Start  Show pagesource  Old revisions  Recent changes  Backlinks    
Trace: » bouquinoscope » ijcai_tag_cloud » start » reversessh_from_anywhere
projects:reversessh_from_anywhere printable version
Table of Contents

Reverse SSH From Anywhere (RSSHFA)

Reverse SSH From Anywhere is a project for allowing a user to ask the when-he-need creation of a SSH tunnel from a machine located behind a NAT or located on a network where a firewall does not accept incoming connection to a machine visible on the Internet, in order to make then a reverse SSH (using ssh login@localhost -p bridge_port).

We call:

  1. the server machine is the machine on which RSSHFAServer is running.
  2. the client machine is the machine on which RSSHFAClient is launched to ask the creation of a SSH tunnel.
  3. the tunnel is created from the server to the destination machine.

A big restriction of the tool: the SSH host key of the destination machine must already be in the .ssh/known_host of the server.

The project use an external XMPP/Jabber server (for now the gtalk servers from Google, i.e. talk.google.com, but the code can be easily augmented to use an another Jabber server that allows SSL connections on the port 443).
In addition to the connection to the XMPP/Jabber server using SSL, all the dialog is encrypted using PGP public/private keys with the RSA cipher, so no information transit in clear on the Google servers or Jabber servers.

Install process

  1. be sure a Java1.6 is available on the client side and the server side
  2. be sure openssh-server is installed on the server and the destination machine, and sshpass on the server
  3. create a gtalk account for the server (the machine behind a NAT or a firewall), and a gtalk account for you if you don't have one
  4. add your gtalk account to the server account roster and vice versa
  5. on the server:
    1. create a new user (for example named reversesshfa)
    2. in /home/reversesshfa untar/ungzip the project archive
    3. generate a public/private OpenPGP keys for the RSA cipher using GPG utilities (see $gpg --gen-key) (after that, the pubring.gpg and the secring.gpg files are in ~/.gnupg)
    4. create a file named server-config.properties in the same directory of RSSHFAServer.jar containing the configuration of the server and the list of gtalk identifiers that are authorized to talk with the server (see the example file in the project archive)
  6. on the client, you just need the pubring.gpg previously generated on the server

How to use it

  • execute RSSHFAClient.sh on your local machine with: $java -jar RSSHFAClient.jar -c me@gmail.com server@gmail.com ip bridge_port login pubring_filepath
  • reply to several questions (gtalk password, password on the destination machine)
  • if RSSHFAClient terminate correctly, you can create a SSH to your server $ssh login@localhost -p bridge_port
  • after you've done your stuff, kill the SSH tunnel created by you with $java -jar RSSHFAClient.jar -k me@gmail.com server@gmail.com (this kill all your created SSH tunnels)

NOTES

  • if you kill by hand a sshpass or a ssh process you kill also the RSSHFAServer.

License

This project use the Smack library from IgniteRealtime released under the Apache license, and the BouncyCastle library released under the MIT X Consortium license, the OpenPGP library of BouncyCastle also includes a modified BZIP2 library under the Apache Software License, Version 1.1.

Reverse SSH From Anywhere is under the GPLv3 license.
Copyright © 2009, Nicolas James.
http://njames.trevize.net/wiki/projects:reversessh_from_anywhere

~~DISCUSSION~~

 
projects/reversessh_from_anywhere.txt · Last modified: 2010/12/02 13:53 by njames

 © Nicolas James 2009-2011

 Valid XHTML 1.0 Transitional Valid CSS! DokuWiki