Sysadmin adventures: success, glorious success (also ssh tunnelling is awesome)

So I’m pretty happy with myself: I’m sitting in the airport, well off my home network, and all my stuff is still working. The mail server config I hacked up extensively to work with multiple users (never something I bothered to deal with before), and FreeIPA-based auth for almost all my services.

I had a bit of a scare when I got to the gate, went to twiddle my web server config a bit, and realized I hadn’t set up the ssh pubkey for this laptop as an authorized key in FreeIPA. I forgot I’d created a new key for my new laptop (the Dell that’s sitting in the depot waiting for my “Windows password…”) and set that one as an authorized key. For a minute I thought I was utterly locked out of interactive access.

Then I realized, damnit, there’s always a way, and remembered I had trusted my phone, so ‘all’ I had to do was stick my old laptop’s pubkey on that, connect to a system on my local network from the phone, add the laptop’s pubkey to its local authorized_keys (which is still read along with the ones from FreeIPA), ssh into that system from my laptop, issue myself a kerberos ticket, and use ‘ipa’ to enrol the laptop’s pubkey in the central store, and I was back in business. Simple, eh? :)

I also have no goddamn idea how I never got around to figuring out ssh tunnels until now. I’ve been using Linux for…er…15 years. Here is the Dumb Monkey’s Simple Guide To Ssh Tunnelling:

ssh -D 9001 (some_system_on_a_network_you_want_to_get_at_something_from)

now configure your browser (or other tool) to use a SOCKS proxy on port 9001, possibly hack up /etc/hosts for things that insist on rewriting the hostname you’re trying to access them by (koff koff ipa), and you can get at stuff ‘behind the firewall’ on the network you ssh’ed into. Specifically, by ssh’ing into one of the systems on my network that I allow external ssh access to, I can access the FreeIPA web interface or my router’s web interface, even though both are behind the firewall. That simple. I really ought to have worked that one out earlier.

3 Responses

  1. Chris Smart
    Chris Smart September 30, 2013 at 3:00 am | | Reply

    Another handy thing in Firefox if you’re going to use a proxy is to send your dns requests through that. Then whatever network you’re on won’t see what you’re looking up, either.

    about:config
    network.proxy.socks_remote_dns;true

    -c

  2. kpuc
    kpuc October 8, 2013 at 8:32 am | | Reply

    Plus, you can use ssh compression — can be handy when the pipe the tunnel uses is smaller than the pipe the remote host has (if you are, say, tunneling your browser…)

You can comment without reCAPTCHA by using an OpenID as the URL, or logging in with an OpenID or an old site account.

Leave a Reply