Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Experiment with remote SSH tunnels and forwarding. Vagrant environment. See http://arlimus.github.io/articles/ssh.reverse.tunnel.security
# -*- mode: ruby -*-
# vi: set ft=ruby :
name = 'saucy'
IP = {
'saucy' => '192.168.123.123',
'client1' => '192.168.123.101',
'client2' => '192.168.123.102'
}
def setup_scenario
authorized_keys = File::read(File::expand_path('~/.ssh/id_rsa.pub'))
# create the sshd_config
"cat > /etc/ssh/sshd_config <<-IOF\n#{SSHD_CONFIG}\nIOF\n" +
%w{client1 client2}.map do |client|
# configure the scenario for each client
<<EOF
useradd -s /bin/false #{client}
mkdir -p /home/#{client}/.ssh
cat > /home/#{client}/.ssh/authorized_keys <<-IOF
#{authorized_keys}
IOF
chown -R #{client}:#{client} /home/#{client}/.ssh
EOF
end.join("\n")
end
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.define name do |c|
# Every Vagrant virtual environment requires a box to build off of.
c.vm.box = "#{name}64"
c.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/#{name}/current/#{name}-server-cloudimg-amd64-vagrant-disk1.box"
c.vm.network "private_network", ip: IP[name]
c.vm.provision "shell", inline: "apt-get update"
c.vm.provision "shell", inline: "apt-get install -y openssh-server"
c.vm.provision "shell", inline: setup_scenario
end
%w{client1 client2}.each do |name|
config.vm.define name do |c|
c.vm.box = 'precise64'
c.vm.network 'private_network', ip: IP[name]
end
end
end
SSHD_CONFIG=<<EOF
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
UsePAM yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes
X11Forwarding no
TCPKeepAlive yes
AcceptEnv LANG LC_*
GatewayPorts no
AllowTcpForwarding remote
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.