Changes between Initial Version and Version 1 of SshProxyNotes

05/24/10 16:19:28 (9 years ago)
ibaldin (IP:



  • SshProxyNotes

    v1 v1  
     1= Setting up SSH proxy tunneling = 
     3This document is a collection of notes on creating SSH proxy tunnels for reaching substrate (e.g. VMs) that are located in private address spaces from the public address spaces 
     5== SSH Reverse Tunnels == 
     7SSH tunneling presents a generic mechanism for making TCP-based services located in private address spaces available securely to hosts located in public address space. This situation arises when, for example, VMs are created on computational substrate that is behind a NAT firewall and external experimenter tools need to connect to these VMs to get e.g. a command shell. 
     9The proposed setup involves a domain with a NAT firewall and a internal private address space. The hosts inside the domain can originate connections to the public Internet, or at least connect to the NAT host. One or more hosts with public IP addresses must be chosen to be SSH 'proxies'. It could be the NAT host or could be a different host, depending on hardware. The idea is to provide access to hosts inside the domain (internal hosts) by tunneling their SSH connections from the SSH proxy. Since the internal hosts can be dynamically created, it is more convenient to have these hosts open a 'reverse' SSH tunnel to the proxy host, rather than having the proxy host open a forward tunnel to the internal hosts.   
     11== SSH keys == 
     13(At least) Two sets of keys must be used in this scenario: 
     14  1. User keys - needed to provide the user access to the internal host. The user public key must be installed on the internal host (e.g. .ssh/authorized_keys for root user). This is normally done by the control framework even today 
     15  2. Proxy keys - needed to establish a connection between the internal host and a proxy. This SSH keypair(s) must be generated ahead of time, the public key installed in the .ssh/authorized_keys for the account used on the proxy host for SSH tunneling. The private key must be installed into the internal host. If it is a VM it can be installed at the time of VM creation. Since this private key becomes known to the user due to being installed into the VM, it may be necessary to generate a per-user/per slice dynamic key pair used for all the hosts in the user's slice.  
     17== Workflow == 
     19  1. Generate a proxy SSH keypair.