On 5/28/21 3:31 PM, John Smith wrote:
> I would like to be able to connect from my laptop to my SSH server
> in my internal network, no matter where the laptop may be. However,
> my SSH server accepts connections from specific IP addresses - those
> to do with work - and rejects all others.
I can't tell if the enforcement / filtering of specific IP addresses is
done on the SSH server and / or something between the SSH server and the
Internet.
Is the SSH server running on the router or something downstream / inside
of the router?
> The problem is that I will often try to connect from my laptop when
> it is using an Internet feed that is not the one at work. Is there
> anything I can do at the laptop so that when it tries to connect to
> my SSH server, the connection will be accepted?
You're asking if there is something that a client can do to defeat the
security that a server has in place. I would certainly hop not.
That being said, you can probably make some minor modifications to your
server and your client to allow them to talk.
You can probably also ssh from your client to a work system and then ssh
from there to your home system so that your home system sees your work
IP and allows the connection with the existing filtering / enforcement.
> The obvious solution would be to have an SSH server listening on
> a non-standard port, for this specific purpose.
Obscurity is not security in and of itself. Many things will find SSH
servers on alternate ports on the Internet.
> However, I would prefer to use a solution that requires no changes
> in my SSH server - only in the client in my laptop. Any ideas?
You really want something that requires you make a change, likely small,
to the ssh server and / or router connecting it to the Internet. Then
you make a similar change to your client to dock with the ssh server.
Port knocking and VPNs come to mind.
One thing that comes to mind is making your ssh server available via a
Tor hidden service (with strict security requirements. Tor has the
advantage of being able to reach out to systems on the Internet and
rondevu without needing to poke holes in firewalls.
I'm sure that there are other VPNs that can do similar. I'm just not
familiar with them.
You can also make changes your ssh server / router that it's behind to
enable the client to connect and communicate with some form of
authentication. This is also frequently the realm of VPN / port
knocking / single packet authorization.
But you *REALLY* want to have to do /something/ on the SSH server /
router to say that clients with a very specific behavior are allowed in.
If clients could make a change and bypass your security without the
SSH server / router blessing it ... that would be a security fail.
--
Grant. . . .
unix || die