[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Health] SSH tunneling for secure remote GNU Health admin (a.k.a. no
Re: [Health] SSH tunneling for secure remote GNU Health admin (a.k.a. no VPN, pleeeze!)
Tue, 21 Feb 2012 20:08:53 -0300
On Tue, Feb 21, 2012 at 1:45 PM, Christoph H. Larsen
> Dear All,
> Safe remote admin access for GNU Health is an important issue, as remote
> help and assistance may be required at times. I am no big fan of
> password, only, secured public access, and we do not yet have
> certificate-secured access easily available for GNU Health.
> What I do for contraptions like phpPgAdmin and friends is that I simple
> deploy an SSH tunnel. I tried the same for the Tryton client, issued on
> my local (remote) Linux workstation - something along the lines of:
> ssh -i ~/.ssh/id_rsa_[ssh_user_name] -L 8001:127.0.0.1:8000 -N -t -v -x
> All is fine to the ponit I am prompted to enter the certificate's
> password. I then get:
> debug1: Authentication succeeded (publickey).
> Authenticated to dkgmdc.com ([184.108.40.206]:667).
> debug1: Local connections to LOCALHOST:8001 forwarded to remote address
> debug1: Local forwarding listening on ::1 port 8001.
> debug1: channel 0: new [port listener]
> debug1: Local forwarding listening on 127.0.0.1 port 8001.
> debug1: channel 1: new [port listener]
> debug1: Requesting address@hidden
> debug1: Entering interactive session.
> debug1: client_input_global_request: rtype address@hidden
> want_reply 1
> The last line is repeated over and over till timeout occurs.
> This is what I get in the server's /var/log/auth.log:
> Feb 21 21:07:13 hmis sshd: Accepted publickey for [ssh_user_name]
> from 220.127.116.11 port 60013 ssh2
> Not overly helpful, except that I managed to enter the right certificate
> password ;).
> I have zero problems using ssh (at the given port) to enter the server
> via the secure shell, so the server's FreeBSD pf firewall should be
> perfectly fine.
That's weird... if you can ssh passwordless to the GNU Health server,
then you should be able to tunnel.
I've used many times GNU Health passwordless with port forwarding,
with my public key in the authorized_keys file of the Health server.
Now, check whether 127.0.0.1 is actually listening on 8000 (try a
telnet to that port locally), and is not mapped to another interface.
Just a thought
> Any thoughts? I think it wolud be nicxe to be able to use ssh tunneling
> for added remote administration security...
> Cheers, and thanks a lot!
> Dr. Christoph H. Larsen
> synaLinQ (Vietnam) synaLinQ (Kenya)
> P.O. Box 55, Bưu điện NT, 01 Pasteur P.O. Box 1607, Village Market
> Nha Trang, Khánh Hòa Nairobi 00621
> Vietnam Kenya
> Mobile: +84-98-9607357 Mobile: +254-753-632481
> +49-176-96456254 (Germany)
> Fax: +49-231-292734790
> Email: address@hidden