Last active
November 17, 2017 16:09
-
-
Save arlimus/7592670 to your computer and use it in GitHub Desktop.
Experiment with remote SSH tunnels and forwarding. Vagrant environment. See http://arlimus.github.io/articles/ssh.reverse.tunnel.security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- mode: ruby -*- | |
# vi: set ft=ruby : | |
name = 'saucy' | |
IP = { | |
'saucy' => '192.168.123.123', | |
'client1' => '192.168.123.101', | |
'client2' => '192.168.123.102' | |
} | |
def setup_scenario | |
authorized_keys = File::read(File::expand_path('~/.ssh/id_rsa.pub')) | |
# create the sshd_config | |
"cat > /etc/ssh/sshd_config <<-IOF\n#{SSHD_CONFIG}\nIOF\n" + | |
%w{client1 client2}.map do |client| | |
# configure the scenario for each client | |
<<EOF | |
useradd -s /bin/false #{client} | |
mkdir -p /home/#{client}/.ssh | |
cat > /home/#{client}/.ssh/authorized_keys <<-IOF | |
#{authorized_keys} | |
IOF | |
chown -R #{client}:#{client} /home/#{client}/.ssh | |
EOF | |
end.join("\n") | |
end | |
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! | |
VAGRANTFILE_API_VERSION = "2" | |
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| | |
config.vm.define name do |c| | |
# Every Vagrant virtual environment requires a box to build off of. | |
c.vm.box = "#{name}64" | |
c.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/#{name}/current/#{name}-server-cloudimg-amd64-vagrant-disk1.box" | |
c.vm.network "private_network", ip: IP[name] | |
c.vm.provision "shell", inline: "apt-get update" | |
c.vm.provision "shell", inline: "apt-get install -y openssh-server" | |
c.vm.provision "shell", inline: setup_scenario | |
end | |
%w{client1 client2}.each do |name| | |
config.vm.define name do |c| | |
c.vm.box = 'precise64' | |
c.vm.network 'private_network', ip: IP[name] | |
end | |
end | |
end | |
SSHD_CONFIG=<<EOF | |
Port 22 | |
Protocol 2 | |
HostKey /etc/ssh/ssh_host_rsa_key | |
HostKey /etc/ssh/ssh_host_dsa_key | |
HostKey /etc/ssh/ssh_host_ecdsa_key | |
UsePrivilegeSeparation yes | |
SyslogFacility AUTH | |
LogLevel INFO | |
LoginGraceTime 120 | |
PermitRootLogin yes | |
StrictModes yes | |
RSAAuthentication yes | |
PubkeyAuthentication yes | |
UsePAM yes | |
IgnoreRhosts yes | |
RhostsRSAAuthentication no | |
HostbasedAuthentication no | |
PermitEmptyPasswords no | |
ChallengeResponseAuthentication no | |
PasswordAuthentication yes | |
X11Forwarding no | |
TCPKeepAlive yes | |
AcceptEnv LANG LC_* | |
GatewayPorts no | |
AllowTcpForwarding remote | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment