(no subject)
I mostly work from home. However, due to stupid IP licensing requirements, much of my work has to be done on a machine physically located in my employer's building. This is OK, because I can login to said machine over the Internet using ssh.
But! My work machine (sentinel) is not visible over the public Internet. First I have to ssh into a gateway machine (rydell), and then ssh from rydell into sentinel. I like to open a lot of xterms at once, and so I'd like this process to be as simple as possible: ideally, I'd like to click one button and get an xterm sshed to sentinel and cd'ed to the directory containing the code I'm currently working on.
Oh, there's another wrinkle: rydell doesn't allow passwordless login using the normal ssh public key infrastructure. Instead, you have to use Kerberos. Kerberos is an authentication protocol developed at MIT that utilises zzzzzz...
Sorry, drifted off for a minute there. The key point about Kerberos is that you ask a keyserver for a time-limited session key, which is decrypted locally using your password. This session key is then used to establish encrypted connections to other servers in the same authentication realm. You never have to send your password over the network, and you don't have to distribute your public key to every host you ever want to talk to. So, once I've acquired a session key by typing kinit and then giving it my password, I should be able to log in to any machine on my employer's network (including sentinel) without typing my password again that day. Which is brilliant.
Except sentinel still isn't visible over the public Internet. So I still need to ssh into rydell and then ssh into sentinel from there. Both of these logins are now passwordless, but this is still annoying. Here are some things I've tried to improve the situation:
The simplest thing that could possibly work
pozorvlak@delight:~
0 $ ssh rydell ssh sentinel
Pseudo-terminal will not be allocated because stdin is not a terminal.
Automating the double-login with expect
#!/usr/bin/expect -f
set timeout 30
match_max 100000
spawn ssh rydell
send "\r"
expect "0 " # prompt
send "ssh sentinel\r"
expect "0 "
send "cde\r" # cd to work directory
interact This actually works, right until I open a text editor or other ncurses program, and discover that I can't resize my xterm - or rather, that the resize information is not passed on to my programs.
Using sshuttle
sshuttle is a poor man's VPN written by the author of redo. Using the -H option, it allows you to proxy your DNS requests through the remote server's DNS server. So a simple
sshuttle -H -vvr rydell 0/0 at the beginning of the day allows me to ssh directly from my local machine (delight) to sentinel. But! It asks me for my sodding password every single time I do so. This is not what I wanted.
ssh tunnelling
I am too stupid to make sense of the "tunnelling" section of the ssh manpage, but fortunately some Googling turned up this, which describes exactly the case I want.
pozorvlak@delight:~
0 $ ssh -fN -L 9500:sentinel:22 rydell
pozorvlak@delight:~
0 $ ssh -p 9500 pvlak1@localhost
pvlak1@localhost's password:
Last login: Thu May 19 14:31:32 2011 from rydell.my.employ.er
pvlak1@sentinel 14:34 ~
0 $ Yes, my employer is located in Eritrea, what of it? :-) Anyway, you will note that this suffers from the same problem as the previous attempt: I have to type my password for every login. Plus, if the sshuttle manpage is to be believed, tunnelling ssh over ssh is a bad idea performance-wise.
I notice that I am confused. Specifically, I notice that I have the type of confusion that comes from lacking an appropriate conceptual framework for attacking the problem.
Can anyone help?
Edit: Yes! Marco Fontani pointed out that the -t option to ssh allocates a pseudo-terminal, so ssh -t rydell ssh sentinel Does What I Want. Thanks, Marco! And thanks to everyone else who offered suggestions.
Edit 2: hatfinch and simont (who you may recognise as the author of the ssh client PuTTY) came up with an alternative solution. My .ssh/config now contains the stanza
Host sentinel
User pvlak1
ProxyCommand=ssh rydell nohup nc sentinel 22
HostName sentinel.my.employ.er This doesn't require me to type a password for every login, does allow me to resize ncurses apps, and feels slightly snappier than ssh -t rydell ssh sentinel, so that's what I'll be using from now on. Thanks very much!
But! My work machine (sentinel) is not visible over the public Internet. First I have to ssh into a gateway machine (rydell), and then ssh from rydell into sentinel. I like to open a lot of xterms at once, and so I'd like this process to be as simple as possible: ideally, I'd like to click one button and get an xterm sshed to sentinel and cd'ed to the directory containing the code I'm currently working on.
Oh, there's another wrinkle: rydell doesn't allow passwordless login using the normal ssh public key infrastructure. Instead, you have to use Kerberos. Kerberos is an authentication protocol developed at MIT that utilises zzzzzz...
Sorry, drifted off for a minute there. The key point about Kerberos is that you ask a keyserver for a time-limited session key, which is decrypted locally using your password. This session key is then used to establish encrypted connections to other servers in the same authentication realm. You never have to send your password over the network, and you don't have to distribute your public key to every host you ever want to talk to. So, once I've acquired a session key by typing kinit and then giving it my password, I should be able to log in to any machine on my employer's network (including sentinel) without typing my password again that day. Which is brilliant.
Except sentinel still isn't visible over the public Internet. So I still need to ssh into rydell and then ssh into sentinel from there. Both of these logins are now passwordless, but this is still annoying. Here are some things I've tried to improve the situation:
The simplest thing that could possibly work
pozorvlak@delight:~
0 $ ssh rydell ssh sentinel
Pseudo-terminal will not be allocated because stdin is not a terminal.
Automating the double-login with expect
#!/usr/bin/expect -f
set timeout 30
match_max 100000
spawn ssh rydell
send "\r"
expect "0 " # prompt
send "ssh sentinel\r"
expect "0 "
send "cde\r" # cd to work directory
interact This actually works, right until I open a text editor or other ncurses program, and discover that I can't resize my xterm - or rather, that the resize information is not passed on to my programs.
Using sshuttle
sshuttle is a poor man's VPN written by the author of redo. Using the -H option, it allows you to proxy your DNS requests through the remote server's DNS server. So a simple
sshuttle -H -vvr rydell 0/0 at the beginning of the day allows me to ssh directly from my local machine (delight) to sentinel. But! It asks me for my sodding password every single time I do so. This is not what I wanted.
ssh tunnelling
I am too stupid to make sense of the "tunnelling" section of the ssh manpage, but fortunately some Googling turned up this, which describes exactly the case I want.
pozorvlak@delight:~
0 $ ssh -fN -L 9500:sentinel:22 rydell
pozorvlak@delight:~
0 $ ssh -p 9500 pvlak1@localhost
pvlak1@localhost's password:
Last login: Thu May 19 14:31:32 2011 from rydell.my.employ.er
pvlak1@sentinel 14:34 ~
0 $ Yes, my employer is located in Eritrea, what of it? :-) Anyway, you will note that this suffers from the same problem as the previous attempt: I have to type my password for every login. Plus, if the sshuttle manpage is to be believed, tunnelling ssh over ssh is a bad idea performance-wise.
I notice that I am confused. Specifically, I notice that I have the type of confusion that comes from lacking an appropriate conceptual framework for attacking the problem.
Can anyone help?
Edit: Yes! Marco Fontani pointed out that the -t option to ssh allocates a pseudo-terminal, so ssh -t rydell ssh sentinel Does What I Want. Thanks, Marco! And thanks to everyone else who offered suggestions.
Edit 2: hatfinch and simont (who you may recognise as the author of the ssh client PuTTY) came up with an alternative solution. My .ssh/config now contains the stanza
Host sentinel
User pvlak1
ProxyCommand=ssh rydell nohup nc sentinel 22
HostName sentinel.my.employ.er This doesn't require me to type a password for every login, does allow me to resize ncurses apps, and feels slightly snappier than ssh -t rydell ssh sentinel, so that's what I'll be using from now on. Thanks very much!