health
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Health] SSH tunneling for secure remote GNU Health admin (a.k.a. no


From: Luis Falcon
Subject: Re: [Health] SSH tunneling for secure remote GNU Health admin (a.k.a. no VPN, pleeeze!)
Date: Tue, 21 Feb 2012 20:08:53 -0300

Hi Chris

On Tue, Feb 21, 2012 at 1:45 PM, Christoph H. Larsen
<address@hidden> wrote:
> Dear All,
>
> Safe remote admin access for GNU Health is an important issue, as remote
> help and assistance may be required at times. I am no big fan of
> password, only, secured public access, and we do not yet have
> certificate-secured access easily available for GNU Health.
> What I do for contraptions like phpPgAdmin and friends is that I simple
> deploy an SSH tunnel. I tried the same for the Tryton client, issued on
> my local (remote) Linux workstation - something along the lines of:
>
> ssh -i ~/.ssh/id_rsa_[ssh_user_name] -L 8001:127.0.0.1:8000 -N -t -v -x
> address@hidden
>
> All is fine to the ponit I am prompted to enter the certificate's
> password. I then get:
> ---
> debug1: Authentication succeeded (publickey).
> Authenticated to dkgmdc.com ([121.100.52.138]:667).
> debug1: Local connections to LOCALHOST:8001 forwarded to remote address
> 127.0.0.1:8000
> debug1: Local forwarding listening on ::1 port 8001.
> debug1: channel 0: new [port listener]
> debug1: Local forwarding listening on 127.0.0.1 port 8001.
> debug1: channel 1: new [port listener]
> debug1: Requesting address@hidden
> debug1: Entering interactive session.
> debug1: client_input_global_request: rtype address@hidden
> want_reply 1
> ---
> The last line is repeated over and over till timeout occurs.
>
> This is what I get in the server's /var/log/auth.log:
> ---
> Feb 21 21:07:13 hmis sshd[4219]: Accepted publickey for [ssh_user_name]
> from 121.100.52.138 port 60013 ssh2
> ---
> Not overly helpful, except that I managed to enter the right certificate
> password ;).
>
> I have zero problems using ssh (at the given port) to enter the server
> via the secure shell, so the server's FreeBSD pf firewall should be
> perfectly fine.
>
That's weird... if you can ssh passwordless to the GNU Health server,
then you should be able to tunnel.

I've used many times GNU Health passwordless with port forwarding,
with my public key in the authorized_keys file of the  Health server.

Now, check whether 127.0.0.1 is actually listening on 8000 (try a
telnet to that port locally), and is not mapped to another interface.

Just a thought
> Any thoughts? I think it wolud be nicxe to be able to use ssh tunneling
> for added remote administration security...
>
> Cheers, and thanks a lot!
>
> Chris
>
> --
> Dr. Christoph H. Larsen
> synaLinQ (Vietnam)                      synaLinQ (Kenya)
> P.O. Box 55, Bưu điện NT, 01 Pasteur    P.O. Box 1607, Village Market
> Nha Trang, Khánh Hòa                    Nairobi 00621
> Vietnam                                 Kenya
> Mobile: +84-98-9607357                  Mobile: +254-753-632481
>        +49-176-96456254 (Germany)
> Fax:    +49-231-292734790
> Email: address@hidden
>



-- 
Luis Falcon
GNU Health
http://health.gnu.org



reply via email to

[Prev in Thread] Current Thread [Next in Thread]