From 211cedccb6865dd7ff3e6ea88ea7c326711b332d Mon Sep 17 00:00:00 2001 From: waldek Date: Tue, 13 Jul 2021 16:05:37 +0200 Subject: [PATCH] adds sshuttle --- modules/qualifying/learning_ssh.md | 42 +++++++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/modules/qualifying/learning_ssh.md b/modules/qualifying/learning_ssh.md index 4804ce8..31b6e73 100644 --- a/modules/qualifying/learning_ssh.md +++ b/modules/qualifying/learning_ssh.md @@ -323,11 +323,12 @@ Last login: Tue Jul 13 14:12:18 2021 from 172.30.40.99 We've done quite a bit of SFTP before so we won't go into detail here but if you forgot, go have a look at the networking exercises in the resources directory. I'm mentioning it because it's crucial to remember it's existence in order to understand the next topic, sshfs. +If it's all a bit vague I urge you to read the `man sftp-server`. ## SSHFS Thanks to the sftp subsystem of ssh we can use it to copy files form one system to an other. -Some clever guy's used it to build [sshfs]() which mounts a remote folder into our system so we can use it like a network share. +Some clever guy's used it to build [sshfs](https://wiki.archlinux.org/title/SSHFS) which mounts a remote folder into our system so we can use it like a network share. It's a poor mans NFS that can be a true lifesaver. You'll have to install it onto the client where you want to mount the folder to. This can be done as follows, `sudo apt install sshfs`. @@ -365,6 +366,43 @@ bigone.ovpn configuration gitea.service homeserver.yaml linux64.out ➜ ~ git:(master) ✗ ``` +Nice no? +You can even add these mounts to your `/etc/fstab` file! + +## SSHuttle + +SSHFS gives us a poor man's NFS and SSHuttle a poor man's VPN. +Again, this is very handy additional program to install on your ssh **client** which requires no modifications to the ssh **server** you're connection to. +You install it with trusty old `apt`, `sudo apt install sshuttle`. + +Now, what does it do? +It creates a connection to a **remote** ssh server and adds **local** iptable rules to send all (or some) traffic via that remote server onto the internet. +In practice it behaves as a VPN. +To test this out I added an for you to one of my remote servers. +Use the private key I'll give you in class to authenticate yourself as student@sproutsin.space. +The syntax is as follows. + +``` +➜ ssh-keys git:(master) ✗ curl icanhazip.com +85.28.111.118 +➜ ssh-keys git:(master) ✗ sshuttle -r student@sproutsin.space -x sproutsin.space 0.0.0.0/0 --ssh-cmd 'ssh -i student' -D +➜ ssh-keys git:(master) ✗ curl icanhazip.com +51.195.42.244 +➜ ssh-keys git:(master) ✗ killall sshuttle +➜ ssh-keys git:(master) ✗ curl icanhazip.com +85.28.111.118 +➜ ssh-keys git:(master) ✗ +``` + +This might look a bit intimidating but I'll break down the command line options a bit. + +* `sshuttle` is the program you're using to create the VPN (it's a python3 script) +* `-r student@sproutsin.space` is the remote host you want to send your traffic to +* `-x sproutsin.space` is needed to exclude traffic to *that* specific host (the connection would fail otherwise) +* `0.0.0.0/0` is the IP range you want to send through the VPN, in this case it's everything +* `--ssh-cmd -i student` is needed to specify our specific private key (not needed if you use `~/.ssh/id_rsa.pub`) +* `-D` will daemonize the VPN so you can continue to use the shell + ## Tweaking the sshd configuration file All server configuration is done in the `/etc/ssh/sshd_config` file. @@ -396,5 +434,3 @@ Protocol ## Autossh -## SSHuttle -