Multiple SSH Connections Through Router
 

Scenario: office with NetGear router (static IP, NAT addressing), behind which are 12 Macs running latest version of Panther (with fixed/static internal IP addresses), and no OSX server. Home Macs are running either Jaguar 10.2.8 or the latest version of Panther.

I enabled SSH remote login on the Mac at my desk (behind the router), and forwarded port 22 on the router to that Mac's IP address. From home, I can now login and mount my entire harddrive (or just my home directory) if I "connect to server" in the Finder's "Go" menu and then type "ssh_usershortname@publicIPaddress" (the underscore is a space). This connection is using port 22, and all works well.

Question 1: is there anything I can do to use this same approach to login to more than one Mac on the office network? For example, can I forward port 1200 to a different Mac, and then connect using SSH via port 1200 (instead of port 22)? Ideally, I would like to be able to do this for each Mac on the work network, so I would need to be able to set up SSH connections on 12 different forwarded ports.

Question 2: similar to question 1... what about setting up other employees to make SSH connections from their own homes to to their work Macs? No other employees need to make multiple SSH connections like I do. Can the default SSH port 22 on their home Macs be permanently changed to a different port number? If so, each employee could then login to their work Mac the same way I can now login to mine (except they'd each be connecting via a different port number unique to them).

One last note -- I'm the only one who resembles a geek at the office, so the preferred way for these employees to login is using the Finder's "Go" menu as I described, rather than some terminal/unix/sudo complex method. With some help, I'll do whatever initial grunt work is necessary so that they can login easily per above.

Thanks!
GS

ermm easy solution...

find an old Mac I use a G4 400, and set it up with a VPN server and then forward that thru the network... then your home users will just have to point and click...


You can use dedicated VPN hardware too.. depends on how much money you have!! :-)

--Zed :cool:

gsparks:

I do something similar here, but you need a router that allows you to redirect ports.
I set up the router to forward external port 221 to internal port 22, machine 1; external port 222 to internal port 22, machine 2; and so on. Obviously, if you have more machines than forwarding ports in your router it will eventually break. My ssh client saves useful things like connect ports, passwords, ip addresses and the like, so it's one-click connect.

You can also log in to one machine, then ssh from that machine to another inside the network. That way you can access your entire subnet with only one machine exposed to the internet.

zed:
how'd you set up the VPN server?

Zed – my employer doesn't want to install a VPN server in-house, which is why I'm looking for a SSH solution. Call him paranoid, but he's made this decision, and I need to work around it.

Acme – are you saying that I would forward port 221 to "192.168.1.5:22" (or whatever other internal IP address I need to use)? And then 222 to "192.168.1.12:22"? And so on for all my internal IPs?

If so, how do I set up the client (home) Mac so that SSH communicates with the router on port 221 or 222 or xxx? As I understand it, the default port setting is 22.

Thx!

ssh -p 222 username@domain.foo

Thanks Yellow!

Do have have the router forwarding right?
222 –> localIPaddress:22
(e.g. 192.168.1.30:22)

I'm pretty sure that's what acme meant. The only additions I would make to his suggestion is to look up the assignments for ports on IANA, just to make sure that you're not choosing a port that might be needed for something later. I also would suggest going with higher, unassigned ports. 5CrIp7 kIdDi35 (In haxorese) who are new to nmap or it's ilk tend to use the defaults and the default generally scan below the 6500 range of ports.

Although I understand the reason for not installing the VPN, I would have to say that the security on a VPN can and would be much higher than all these SSH tunnels..

Each Mac with an SSH port would need to be individually secure.. ie users passwds etc must not be obvious...just one "test" account would create a major security breach...

On a VPN host:

a. all logins would pass through it thus everything can be logged..
b. only those people with accounts on the VPN host would be permitted through... NO "test" accounts.
c. the VPN host can strict the access granted to each user.
d. much easier to manage.


Well I have several VPN systems.. I have a Panther Server on which I just ticket the box to start the VPN server...
I also have a CISCO PIX501 little VPN box... both work very well.. nether have ever given any security concerns..

I do understand where you are coming from with the security issues but I think you might want to rethink it...

--Zed :cool:

Zed, you're preaching to the choir!!

GS

The best way I've found of getting upper management to buy into something is it either give them overwhelming evidence or to make them think that it was their idea in the first place :D

---Zed :cool:

That's exactly what I meant. The external port can be anything you want (including 'reserved' ports) as long as you are not using the reserved service. You've got 65000+ ports to play with. You can also tunnel other services through the same port if you are running out of available forwards in your router. i.e. if you have 10 forward slots and 10 computers, you are going to fill them all up with ssh. If you want to use AFS you just tunnel the AFS port through the ssh port.

Hmmm... not working... here's what I've done:

Home client #1
Connect to server in finder and type --> ssh username1@WANIP
Router has port 22 forwarded to internal LANIP#1
Connection with LANIP#1 perfect
(LANIP#1 Mac has remote login port 22 open)

Home client #2
Connect to server in finder and type --> ssh -p 1501 username2@WANIP
Router has port 1501 forwarded to internal LANIP#2
(LANIP#2 Mac has remote login port 22 open and custom port 1501 open)
But, connection is actually made with LANIP#1 instead of LANIP#2

The idea here is to enable a couple of SSH connections through the router at the same time, but using different ports so that different home clients can get through to different internal company macs. Apparently the instruction I'm typing isn't sending out SSH on port 1501 to the router? What am I missing, cause I know it's something...??

:-)

GS

This sounds like you have not configured the target system to run it's SSH deamon on port 1501..

try this...

sshd -p 1501

Then go home and try to connect again.

--Zed :cool:

I think zed's got it here - you did not say you forwarded EXTERNAL port 1501 to INTERNAL port 22, lan ip #2. Your router may not even have this option, but if it does you don't have to muck about with the server daemon processes.

Think of the router as a patchboard - one plug for each port, but there's no reason for the numbers to match up. Mix the patchcords as you need to, but only one per port/local ip.

You said you are doing this in the Finder? The Finder might not interpret the full ssh command - I've never tried it that way (anyone else?) Try it in the shell first.

OK... here's where I am in understanding this:


1) On Router:
a - forward port 22 to LANIP#1
b - forward port 1501 to LANIP#2
(This router doesn't have any other forwarding options with
regards to external vs. internal ports)


2) On LANIP#1
a - open firewall port 22 (enable remote login)


3) On Home Client #1
a - open Connect to Server and type "ssh username1@WANIP"
(This works properly right now already)


4) On LANIP#2
a- open Terminal and type "sshd -p 1501"
(This tells the target system to use incoming 1501 for SSH?)

b - open firewall port 1501 (keep 22 closed?)

c - do I have to repeat step "a" each time the system is restarted,
or does this permanently change the SSH mapping?


5) On Home Client #2
a - open Connect to Server, type "ssh -p 1501 username2@WANIP"
(This tells the client to send SSH out on port 1501)


It's important to note that the home users are computer boneheads... they want SIMPLE connections to work systems. I can do the legwork, but then each time they connect, they don't want to have to open Terminal, etc.

If home client #2 can't connect using the finder's Connect to Server option, and instead really requires Terminal for the "ssh -p 1501..." command to work, is there a way to create an AppleScript so that the user can simply double click an icon to make the connection? Provided I can get the connection to work in the first place, that is...

One more question... right now, using Home Client #2, typing the "ssh -p 1501 username2@WANIP" results in the router connecting with LANIP#1 (port 22 is forwarded to LANIP#1). This seems to me to indicate that Home Client #2 is sending the SSH out on port 22 instead of 1501 despite the command. If so, it seems that any other port forwarding on the router and sshd command on machines other than LANIP#1 are fruitless until I can get Home Client #2 to send out SSH on port 1501... is this right?

Thanks!
GS

hiya,

my sshd -p 1501 is just for testing.. if it works then you can edit the sshd.conf file but rather than messing with that lets just get the basics working...

I really don't think the "connect to server" window will allow you to enter "ssh..." to it...

you can write a very simple applescript to make the ssh tunnel and connect to the remote host... depending on how advanced you want you can hardcode the passwds, ask the user or take them from the keychain.

--Zed :cool:

Here's where my UNIX inexperience hurts...

I went to terminal on LANIP#2, and typed "sudo sshd -p 1501"

Here's what came back:

RICH:~ administrator$ sudo sshd -p 1501
Could not load host key: /etc/ssh_host_key
Could not load host key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_dsa_key
Disabling protocol version 1. Could not load host key
RICH:~ administrator$

I'm not sure what to do next (heck, I don't even know how to edit the sshd.config file)...

it is good to stick to IANA's advice on this (setting the port forwarded port to > 49152?):
i'm glad i saw this post -- i'm going to setup my firewall so i can access two more computers!

i am a bit intrigued by the VPN setup. i have a sonicwall firewall w/ VPN capability. how hard is it to setup? anyone have a diagram of how to set it up (simliar to zed's 'port forwarding' protocol i found through a link in his profile). i guess i'm just confused on how VPN access really works.

About the firewalls - it seems you have them activated on all the lan machines - go turn them all off, at least until the network is up and running. Firewalls behind a nat router really don't do much unless you are worried about your co-workers hacking each other.

Linksys routers will easily do port-change forwarding, but it's not obvious. They call it pnp forwarding. Did you check ALL the router's config pages? It's going to be a headache otherwise.

CAREFULLY read the manual for sshd - unless you can get another router, changing the listen port is your only option.

from my /etc/sshd_config file:

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1

remove the '#' (the line is inactive with that character at the beginning) and change the port number. Turn off the firewall and reboot.

Ok well check this out and let now if it clears things up a little :D

http://macosx.miraworld.tv/vpn

I just wrote this so forgive me if I miss some bits but I think it's complete... the 45mins it took to write it...

Cheers,

---Zed :cool:

If that's the case you should write ~/.ssh/config files for each user.

There are other options -- check man ssh_config for the rest.

Now your user can just type 'ssh work' to start the connection.

Thats a good idea... tho I think for real bone heads I would write a little applescript.. then all they have to do it click...

--Zed :cool:

My router is a NetGear WGR614 v3... it allows me to do port forwarding to any internal IP address: For example, it will forward 1501 --> 192.168.0.5. But, it won't do 1501 --> 192.168.0.5:8080.

Do I need a router that can do more than forward 1501 --> 192.168.0.5 ?


Good idea... I'll turn them off for the time being.


So, it looks like this is how I'll edit the private>etc>sshd_config file on each internal work Mac so that it will listen for SSH on Port 1501 (or whatever port number I assign):

Port 1501
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

And, I'll write a custom config file for each home user's machine that reads per the instructions given. Where exactly should I locate this file, should it be invisible, and exactly how should I name it?

I appreciate the hand-holding here.

GS

I have the same WiFi router at home.

What you can do is change the ssh port for the machine that it's being forwarded to. Edit the port in /etc/ssh_config to match the port coming from the router. This should make the machine answer ssh requests without having to get a new router that forwards port to port. This will, however "break" ssh behind the WiFi router. If you want to ssh from one machine inside the router to another, you have to know and remember which port sshd is listening on the remote machine. I don't know if you can specify 2 different ports for ssh to listen on in /etc/ssh_config.

Another way would be to set up port forwarding on the destination machine. Set up a forward that any request coming to port 1501 automatically gets redirected to port 22. I think that would work too. Again, you should be able to do this in /etc/ssh_config. Read the man pages for ssh_config for more info about the settings.

That firewall/router will be just fine..

It will forward connections from the internet on specific ports to Internal systems on the same port..

--Zed :cool:

Right... understood... and the above edits I wrote about should do this.


I don't know how to do this (yet), but this seems like it would solve both problems at the same time... I'll look into this... thanks!

GS

Ooops! Yep, you sure did! :)

OK... so I need more hand holding than I thought... could someone direct me to a good place to learn how to forward external listening ports on a system to another internal port?

I'm beginning to think I need to enroll in some kind of a OSX Unix class somewhere to learn this stuff... any suggestions?

this is what i do and i like it from a security stand point, but then again i am the only one that logs on from the outside world.

Believe it or not, I was actually getting to that point... :-)

Thanks everyone for the great advice and response to this thread.

We've finally decided that we are:

1) NOT going to SSH to each machine from outside

2) NOT going to utilize VPN pass-through to a VPN server inside

3) ARE going to buy a VPN-endpoint router than can support multiple VPN IPSec tunnel connections directly to the router, from which the home user can access his work machine and all other network resources.

We're looking at buying the NetGear ProSafe FVS318 VPN Firewall. I'd love some comments or feedback from anyone familiar with this device. I've heard great things on this side, but always will consider more info.

We're also considering using our existing NetGear WGR614 as a second router on the network for the sole purpose of providing fast wireless access to the network (rather than purchasing a much more expensive wireless VPN firewall and getting rid of the existing wireless router).

In setting up the wireless router (which will no longer be the primary router on the network), would I assign it a unique IP address on the new VPN router, and then use the wireless router's DCHP server to dynamically assign wireless IP addresses? Just looking for some suggestions here so that I can minimize potential problems.

Thanks again!!!!

Well I have to say that you've made the right choice... I know it means spending money but in the end the extra security and functionality will be worth it...

I'm also glad that with all the discussion we did not put you off completely! :D

I've not tried that router that you suggest, but I'm sure others here have....

As for using the existing wireless router.. well you can still use it and just turn off the DSL routing side and instead point it at the new firewall/router.. it does not matter which one does the DHCP/DNS... as long as one of them does and not BOTH :)

Try drawing a network diagram so that you are clear how things will connect up, and maybe post it here for comments..I use omnigraffle for my diagrams.

Cheers,
--Zed :cool:

OK... I did the deed... I just purchased a NetGear FVS318 VPN Firewall router for my company office, and I have a NetGear WGR614 router at my home.

I've successfully made an IPSec VPN connection from my home to the office (using VPN Tracker client software). And, I can successfully reach any of the internal systems at the office (all running OSX Panther) by typing their local private/NAT IP address in the finder's "Connect to Server" window after the VPN connection with the router is made.

However, I am unable to "browse" the office network, or have any of the office systems show up in Rendezvous (i.e. iChat), or see any of the network/shared printers.

The office VPN Firewall router has local address 192.168.0.1, and the home router has local address 192.168.2.1. Both home and office use subnet 255.255.255.0.

Can anyone suggest a way to browse the office network (i.e. using in the connect to server window OR the network icon in a finder window)? Do I need to reset the home router address to one compatible with the office network (e.g. 192.168.0.99)? And if I do that, do I need to turn off the DHCP server on the home network to prevent conflicts? (FYI, both routers have RIP capability for multiple router communication, but I've got no clue how to use that yet).

Or is this functionality not possible on OSX using VPN? I have enabled NetBIOS on the VPN Firewall, but that didn't make a difference (and we're not using Winblows systems anyways). I was hoping that the home user would have the same experience as if he were sitting in the office at work... including printing to printers around the office and iChatting with co-workers at their desks (I know we can do Internet iChat via AIM, but I'm trying to avoid that).

Thanks!!
GS

It just dawned on me that I was so happy to make the VPN connection yesterday, that I didn't check to see if there was a firewall problem preventing me from browsing the office network...

I know that I need 5297-98 open for iChat, but are there other ports I need to open to browse the network and see printers? Or does that all come in through port 500 (IPSec VPN connection)?

Thanks again!
GS