It needs to go into the file called, /home/tunnel/.ssh/authorized_keys. Now we need to place a copy of the public key on to the server system. The second file is the public key, which can be distributed freely. The first is the secret key, which should be kept secure. The result will be two files in the /home/tunnel/.ssh directory called id_dsa and id_dsa.pub. It will also ask for a password, but this isn’t needed.
When you execute the ssh-keygen command, it will offer to create the keys in the /home/tunnel/.ssh directory. The comment will be added to the end of the public key, and is useful for keeping track of what key belongs to what system. The last parameter, indicated by -C is purely a comment and doesn’t affect the use of the keys. This can be done by executing the ssh-keygen utility while logged in as the tunnel user like so: ssh-keygen -t DSA -b 1024 -C example uses DSA, although you could use RSA. The user on the client side will need to create SSH keys. They shouldn’t have any special privileges, but they need to have a home directory (assumed to be /home/tunnel) and the ability to run a command shell. We’ll assume we’ve done that and called them simply, tunnel on both.
It’s useful to establish dedicated users on each machine. $IPTABLES -A OUTPUT -d $IP_SERVER -p tcp -dport 22 -m state -state NEW -j ACCEPT # Accept inbound packets that are part of previously-OK’ed sessions On the client side, the iptables script might include the following entries: IP_SERVER=1.2.3.4 $IPTABLES -A INPUT -s $IP_CLIENT -p tcp -j ACCEPT -dport 22 -m state -state NEW $IPTABLES -A INPUT -m state -state RELATED,ESTABLISHED -j ACCEPT So the iptables script on the server might contain something like this: IP_CLIENT=5.6.7.8 The tunnel will be instigated by the client. Let’s use the standard port for SSH (i.e., port 22). The first step is to open the firewall for SSH communications between the systems. We’ll also suppose that there are tightly configured iptables firewalls on both systems. Suppose further that the client is on a host named,, with an IP address of 5.6.7.8. For the examples here, let’s assume that there is a database server running on a host named,, with an IP address of 1.2.3.4. This article suggests a simple approach which is adequate in many situations. There are various ways to implement an SSH tunnel. Traffic through an SSH tunnel is encrypted with all of the security of the SSH protocol, which has a strong track record against attacks. Although SSL often may seem to be the best option, SSH tunnels are in fact easier to implement and can be very effective. When you want to connect a client to a database server through an insecure network, there are two main choices: use SSL or use an SSH tunnel.
0 kommentar(er)
