/ssh tunnelling vagrant env
Last active Nov 17, 2017
Experiment with remote SSH tunnels and forwarding. Vagrant environment. See http://arlimus.github.io/articles/ssh.reverse.tunnel.security
| # -*- mode: ruby -*- | |
| # vi: set ft=ruby : | |
| name = 'saucy' | |
| IP = { | |
| 'saucy' => '192.168.123.123', | |
| 'client1' => '192.168.123.101', | |
| 'client2' => '192.168.123.102' | |
| } | |
| def setup_scenario | |
| authorized_keys = File::read(File::expand_path('~/.ssh/id_rsa.pub')) | |
| # create the sshd_config | |
| "cat > /etc/ssh/sshd_config <<-IOF\n#{SSHD_CONFIG}\nIOF\n" + | |
| %w{client1 client2}.map do |client| | |
| # configure the scenario for each client | |
| <<EOF | |
| useradd -s /bin/false #{client} | |
| mkdir -p /home/#{client}/.ssh | |
| cat > /home/#{client}/.ssh/authorized_keys <<-IOF | |
| #{authorized_keys} | |
| IOF | |
| chown -R #{client}:#{client} /home/#{client}/.ssh | |
| EOF | |
| end.join("\n") | |
| end | |
| # Vagrantfile API/syntax version. Don't touch unless you know what you're doing! | |
| VAGRANTFILE_API_VERSION = "2" | |
| Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| | |
| config.vm.define name do |c| | |
| # Every Vagrant virtual environment requires a box to build off of. | |
| c.vm.box = "#{name}64" | |
| c.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/#{name}/current/#{name}-server-cloudimg-amd64-vagrant-disk1.box" | |
| c.vm.network "private_network", ip: IP[name] | |
| c.vm.provision "shell", inline: "apt-get update" | |
| c.vm.provision "shell", inline: "apt-get install -y openssh-server" | |
| c.vm.provision "shell", inline: setup_scenario | |
| end | |
| %w{client1 client2}.each do |name| | |
| config.vm.define name do |c| | |
| c.vm.box = 'precise64' | |
| c.vm.network 'private_network', ip: IP[name] | |
| end | |
| end | |
| end | |
| SSHD_CONFIG=<<EOF | |
| Port 22 | |
| Protocol 2 | |
| HostKey /etc/ssh/ssh_host_rsa_key | |
| HostKey /etc/ssh/ssh_host_dsa_key | |
| HostKey /etc/ssh/ssh_host_ecdsa_key | |
| UsePrivilegeSeparation yes | |
| SyslogFacility AUTH | |
| LogLevel INFO | |
| LoginGraceTime 120 | |
| PermitRootLogin yes | |
| StrictModes yes | |
| RSAAuthentication yes | |
| PubkeyAuthentication yes | |
| UsePAM yes | |
| IgnoreRhosts yes | |
| RhostsRSAAuthentication no | |
| HostbasedAuthentication no | |
| PermitEmptyPasswords no | |
| ChallengeResponseAuthentication no | |
| PasswordAuthentication yes | |
| X11Forwarding no | |
| TCPKeepAlive yes | |
| AcceptEnv LANG LC_* | |
| GatewayPorts no | |
| AllowTcpForwarding remote | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment