Experiment with remote SSH tunnels and forwarding. Vagrant environment. See http://arlimus.github.io/articles/ssh.reverse.tunnel.security
# -*- mode: ruby -*- | |
# vi: set ft=ruby : | |
name = 'saucy' | |
IP = { | |
'saucy' => '192.168.123.123', | |
'client1' => '192.168.123.101', | |
'client2' => '192.168.123.102' | |
} | |
def setup_scenario | |
authorized_keys = File::read(File::expand_path('~/.ssh/id_rsa.pub')) | |
# create the sshd_config | |
"cat > /etc/ssh/sshd_config <<-IOF\n#{SSHD_CONFIG}\nIOF\n" + | |
%w{client1 client2}.map do |client| | |
# configure the scenario for each client | |
<<EOF | |
useradd -s /bin/false #{client} | |
mkdir -p /home/#{client}/.ssh | |
cat > /home/#{client}/.ssh/authorized_keys <<-IOF | |
#{authorized_keys} | |
IOF | |
chown -R #{client}:#{client} /home/#{client}/.ssh | |
EOF | |
end.join("\n") | |
end | |
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! | |
VAGRANTFILE_API_VERSION = "2" | |
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| | |
config.vm.define name do |c| | |
# Every Vagrant virtual environment requires a box to build off of. | |
c.vm.box = "#{name}64" | |
c.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/#{name}/current/#{name}-server-cloudimg-amd64-vagrant-disk1.box" | |
c.vm.network "private_network", ip: IP[name] | |
c.vm.provision "shell", inline: "apt-get update" | |
c.vm.provision "shell", inline: "apt-get install -y openssh-server" | |
c.vm.provision "shell", inline: setup_scenario | |
end | |
%w{client1 client2}.each do |name| | |
config.vm.define name do |c| | |
c.vm.box = 'precise64' | |
c.vm.network 'private_network', ip: IP[name] | |
end | |
end | |
end | |
SSHD_CONFIG=<<EOF | |
Port 22 | |
Protocol 2 | |
HostKey /etc/ssh/ssh_host_rsa_key | |
HostKey /etc/ssh/ssh_host_dsa_key | |
HostKey /etc/ssh/ssh_host_ecdsa_key | |
UsePrivilegeSeparation yes | |
SyslogFacility AUTH | |
LogLevel INFO | |
LoginGraceTime 120 | |
PermitRootLogin yes | |
StrictModes yes | |
RSAAuthentication yes | |
PubkeyAuthentication yes | |
UsePAM yes | |
IgnoreRhosts yes | |
RhostsRSAAuthentication no | |
HostbasedAuthentication no | |
PermitEmptyPasswords no | |
ChallengeResponseAuthentication no | |
PasswordAuthentication yes | |
X11Forwarding no | |
TCPKeepAlive yes | |
AcceptEnv LANG LC_* | |
GatewayPorts no | |
AllowTcpForwarding remote | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment