[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Health] SSH tunneling for secure remote GNU Health admin (a.k.a. no
From: |
Christoph H. Larsen |
Subject: |
Re: [Health] SSH tunneling for secure remote GNU Health admin (a.k.a. no VPN, pleeeze!) |
Date: |
Thu, 23 Feb 2012 21:00:50 +0430 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.20) Gecko/20110820 Iceowl/1.0b2 Icedove/3.1.12 |
Dear Luis,
Thanks a lot for your reply...
On 22/02/12 03:38, Luis Falcon wrote:
> Hi Chris
>
> On Tue, Feb 21, 2012 at 1:45 PM, Christoph H. Larsen
> <address@hidden> wrote:
>> Dear All,
>>
>> Safe remote admin access for GNU Health is an important issue, as remote
>> help and assistance may be required at times. I am no big fan of
>> password, only, secured public access, and we do not yet have
>> certificate-secured access easily available for GNU Health.
>> What I do for contraptions like phpPgAdmin and friends is that I simple
>> deploy an SSH tunnel. I tried the same for the Tryton client, issued on
>> my local (remote) Linux workstation - something along the lines of:
>>
>> ssh -i ~/.ssh/id_rsa_[ssh_user_name] -L 8001:127.0.0.1:8000 -N -t -v -x
>> address@hidden
>>
>> All is fine to the ponit I am prompted to enter the certificate's
>> password. I then get:
>> ---
>> debug1: Authentication succeeded (publickey).
>> Authenticated to dkgmdc.com ([121.100.52.138]:667).
>> debug1: Local connections to LOCALHOST:8001 forwarded to remote address
>> 127.0.0.1:8000
>> debug1: Local forwarding listening on ::1 port 8001.
>> debug1: channel 0: new [port listener]
>> debug1: Local forwarding listening on 127.0.0.1 port 8001.
>> debug1: channel 1: new [port listener]
>> debug1: Requesting address@hidden
>> debug1: Entering interactive session.
>> debug1: client_input_global_request: rtype address@hidden
>> want_reply 1
>> ---
>> The last line is repeated over and over till timeout occurs.
>>
>> This is what I get in the server's /var/log/auth.log:
>> ---
>> Feb 21 21:07:13 hmis sshd[4219]: Accepted publickey for [ssh_user_name]
>> from 121.100.52.138 port 60013 ssh2
>> ---
>> Not overly helpful, except that I managed to enter the right certificate
>> password ;).
>>
>> I have zero problems using ssh (at the given port) to enter the server
>> via the secure shell, so the server's FreeBSD pf firewall should be
>> perfectly fine.
>>
> That's weird... if you can ssh passwordless to the GNU Health server,
> then you should be able to tunnel.
I have changed the key files, and tried password-less login. Yet, with
both password-less and password-prone keyfiles, I encounter the same error.
>
> I've used many times GNU Health passwordless with port forwarding,
> with my public key in the authorized_keys file of the Health server.
>
> Now, check whether 127.0.0.1 is actually listening on 8000 (try a
> telnet to that port locally), and is not mapped to another interface.
Sure, did that! And it does.
What I get, after successful key file negotiation and (optional)
password entry, is this:
debug1: Entering interactive session.
debug1: client_input_global_request: rtype address@hidden
want_reply 1
debug1: client_input_global_request: rtype address@hidden
want_reply 1
debug1: client_input_global_request: rtype address@hidden
want_reply 1
debug1: client_input_global_request: rtype address@hidden
want_reply 1
debug1: client_input_global_request: rtype address@hidden
want_reply 1
It does, by then way, not make any difference, whether I set ssl_jsonrpc
from True to False in trytond.conf.
>
> Just a thought
>> Any thoughts? I think it wolud be nicxe to be able to use ssh tunneling
>> for added remote administration security...
Confused... Anything to do with FreeBSD jails? I shouldn't, as I use
this with other jails, too!
>>
>> Cheers, and thanks a lot!
>>
>> Chris