On 2020-09-16, Grant Taylor <
gta...@tnetconsulting.net> wrote:
> On 9/16/20 2:57 AM, William Unruh wrote:
>> Not sure what you mean.
>
> I'm referencing group membership to control access to files. So if
> "grant1" is allowed to access a file, but I us an alternate user,
> "grant2" to connect to the system, then I can't directly access the
> necessary file.
No, that is not what I mean. Set up a user named sshtunnel on both
systems, laptop and desktop. SEt it up so that sshtunnel can log into
desktop with public key. Then run the autossh .... as user sshtunnel
You NEVER again use the user sshtunnel. In particular you do not use
sshtunnel to log onto the desktop. You use your grant2 to log on and do
everything you want.
The autossh will have opened a local port on the desktop, lets say it is
port 7952. When you want to run rsync on desktop to trasfer stuff to the
laptop you do not connect to laptop, you connect to localhost on the
desktop and port 7952. You can do this as any user on the destop You do
not need to use user sshtunnel.
ssh -p 7952 localhost or ssh -p 7952 127.0.0.1
will connect you to the laptop.
If you want to rsync, then
rsync -av --progress --rsh="ssh -p 7952" /file/you/want/to/tansfer localhost:/file/location/on/laptop/
>
>> If I open a path (from) you(r) desktop to your laptop as user A,
>> then user B can use that path on the desktop to go to your laptop. I
>> do it all the time.
>
> "path" can mean multiple things in this context. It can be the network
> communications path (TCP / ProxyCommand) or it can be who is allowed to
> log in over an SSH connection. It's quite possible that both A and B
> can establish a TCP connection but that only A will be allowed to log in.
>
>> user a on compute 1 opens a path between compter 2 to 1 by logging
>> in on 1 and running that autossh command Then user B on 2 can use
>> that to ssh into 1.
>>
>> In particular user B can use rsync to transfer files from 2 onto 1.
>
> Just because B can start an SSH session from 2 to 1 does not mean that B
> can log into 1. It's entirely possible that the SSH daemon running on 1
> will prevent B from logging into 1, thus stopping B in their tracks.
Yes. And? Of course if you have set up your laptop to disallow B logging
in then B cannot log in. But if you want B to be able to log in, or to
transfer files via rsync, then let B log in!
>
>> So what problem do you forsee?
>
> Many.
So far you have not mentioned even one.
>
>> What do you mean by "Crossing user contexts"?
>
> See above.
We seem to be talking completely past each other.
Perhaps you should try what I suggest and see how it works, and whether
the potential problems you seem to be secretly forseeing are actually
problems.
ssh tunnelling in this context simply means that you can set up the two
systems so that you can ssh from the desktop to the laptop even if the
laptop is behind a NAT router, and you cannot access it from the net and
use it for things like rsync files from the desktop to the laptop. That
was the problem I thought you were trying to solve, but your solution
had undesirable features.
What I am giving you is a way to accomplish what I thought you wanted
without those undesireable features, which I use daily, and have never
run into problems. But you seem to be misinterpreting what I say and
forseeing problems.
To again go through the procedure.
On both desktop and laptop install a new user sshtunnel. Set up
sshtunnel with a public key on the laptop, and place the public part of
that key (eg the contents of ~sshtunnel/.ssh/id_rsa.pub on the laptop) into ~sshtunnel/.ssh/authorized_keys
Now, log into sshtunnel (or use sudo to log into sshtunnel) and run
autossh -f -M0 -nN -R 7952:localhost:22
desktop.domain.name
This will set up a tunnel from the desktop to the laptop with
localhost -p 7952 being a direct connection from the desktop to port 22
on the laptop. Now anyone can use that to connect to the port 22 on the
laptop to connect via ssh to the laptop
Ie,
ssh -p 7952 127.0.0.1
would be the same as doing
ssh <IP address of laptop>.
But of course that laptop usually does not have a internet address-- it
is hidden behind a NAT router, with no way to get a packet to the
laptop.
This would be true for anyone, not just user sshtunnel, on the desktop.
This includes user grant2.
If instead you wanted to sent mail to the laptop via port 25 on the
laptop, you could create a tunnel from some other port on the desktop
(ie not 7952 since that is used for ssh in my example) to port 25 rathr
than 22.
Note that you do NOT have to use public key to do all this. You could do
everything without public key logon from laptop to desktop. In that
case, ssh would ask you for a password when it attempted to connect as
user sshtunnel.
Exactly what would happen if the ssh connection dropped and autossh
restarted it I do not know, since it would be hard for ssh, running in
the background, to ask for a password. But I leave you to figure that
out.
If someone got your laptop, the most they could do is to log onto your
desktop as user sshtunnel. I would assume you have set up your desktop
so that user sshtunnel cannot do much.
Note that you would not need to use autossh, but could do it directly
with ssh itself. It just would not restart the tunnel if something
caused the connection to drop. Then you could log in as sshtunnel, run
the ssh command to open the tunnel, and if the connection went down, you
would have to bring it back up yourself.