ssh port forwarding / security risk

Posted by jcooper on Server Fault See other posts from Server Fault or by jcooper
Published on 2010-04-06T15:05:05Z Indexed on 2010/04/06 15:13 UTC
Read the original article Hit count: 421

Filed under:

ssh

|

port-forwarding

|

security

Hi there,

I want to access a web application running on a web server behind my office firewall from an external machine.

We have a bastion host running sshd that is accessible from the Internet.

I want to know if this solution is a bad idea:

Create an account on the bastion host with shell=/bin/false and no password ('testuser')
Create a ssh RSA key on the external machine
Add the public RSA key to the testuser's authorized_keys file
ssh to the bastion host from the external host using: ssh -N 8888:targethost:80
run my tests from the external host
shut down the ssh tunnel

I understand that if my RSA private key were compromised then someone could ssh to the bastion host. But are there other reasons this solution is a bad idea?

thank you!

© Server Fault or respective owner

Related posts about ssh

Problem with hadoop start-dfs.sh

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I installed and configured hadoop on my Ubuntu 14.04 server, virtualized inside of hyper-v, however I am getting an issue when i run start-dfs.sh root@sUbuntu01:/var/log# start-dfs.sh 14/06/04 15:27:08 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java… >>> More
SSH problems (ssh_exchange_identification: read: Connection reset by peer)

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I was running 11.10 and decided to do the full upgrade and come up to 12.04 after the update SSH (not SSHD) is now misbehaving when attempting to connect to other OpenSSH instances. I say OpenSSH as I am running a DropBear sshd on my router and I am able to connect to it. When attempting to connect… >>> More
SSH main process ended

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a running ubuntu server 10.04.1. When I tried to login to the server via ssh, I could not. Instead, I got connection refused error. I tried to ping the machine and I got reply! So, the clear reason is that SSH daemon is stopped. After reboot, I was able to login to my server via ssh. After… >>> More
SSH server not working (respawns until stopped)

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a running Ubuntu Server 10.04.1. When I tried to login to the server via ssh, I could not. Instead, I got connection refused error. I tried to ping the machine and I got reply! So, the clear reason is that SSH daemon is stopped. After reboot, I was able to login to my server via ssh. After… >>> More
Cannot SSH after resetting firewall on VPS

as seen on Server Fault - Search for 'Server Fault'
I'm having trouble trying to SSH to my Debian 5 VPS with blacknight. It was working fine until I did the following: Logged into 'Parallels Infrastructure Manager' - Container - Firewall - Set to 'Normal Firewall settings'. It told me there was an error with the IPTables and offered the option again… >>> More

Related posts about port-forwarding

Stable reverse port forwarding in SSH and stale sessions

as seen on Super User - Search for 'Super User'
Using VPS to forward ports behind NAT: for((;;)) { ssh -R 2222:127.0.0.1:22 [email protected]; sleep 10; } When connection is broken somehow and it is reconnecting. Warning: remote port forwarding failed for listen port 2222 Linux vi-server.no-ip.org 2.6.18-92.1.13.el5.028stab059.3 #1 SMP Wed Oct… >>> More
port forwarding? [closed]

as seen on Super User - Search for 'Super User'
Possible Duplicate: Configure Modem for Bittorrent downloads any guides on portforwarding? I want to speed up my torrent downloads >>> More
WRT54G - how use port forwarding and VNC

as seen on Super User - Search for 'Super User'
Since I have my home network behind a WRT54G, the router has an external "real" IP address, and the PCs behind it have 192.168.xxx.xxx addresses. I would like to be able to control one of them remotely - preferably using UltraVNC, but I am open to suggestions. Since I can't directly address that… >>> More
Port forwarding - firewall deactivated?

as seen on Super User - Search for 'Super User'
In a Port Forwarding guide I have read I should set port forwarding on my ADSL modem and disable its firewall. Until I did both of this, my torrent client was not visible as a server from outside. However, I am unsure what implications disabling firewall has and why it is needed. Can anyone explain… >>> More
PortForwarding to IIS in Linux

as seen on Server Fault - Search for 'Server Fault'
Hi, I am trying to set up port forwarding on a linux box to a IIS webserver on my internal network. The web server sits on Windows 2003 Server. My linux box has eth0 - Internet connection eth1 - internal subnet (10.10.10.x) eth2 - 2nd internal subnet (129.168.0.x) dhcp interface my webserver… >>> More