Date: Sat, 25 Sep 1999 14:58:56 -0400 (EDT) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: madscientist@thegrid.net (The Mad Scientist) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Secure gateway to intranet Message-ID: <199909251858.OAA39078@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <4.1.19990923205643.0095ce70@mail.thegrid.net> from The Mad Scientist at "Sep 23, 1999 09:45:21 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
The Mad Scientist wrote, > All, > I am looking for a secure way to log into a machine on an intranet. > Here's what I have in mind. > A user ssh-es to a machine on the boarder network. Her shell is a > script/program that asks for a name of an internal machine, then ssh-es to > that machine after an authentication. This way, I could only open the > border and internal routers up to that machine and a proxy server and I > could have a log of who goes where. All seems quite reasonable. > I'd also like to be able to set up > some kind of acl in the proggie/script that dictates which users can go to > which machines. Hmmm... Is there a reason not to just let ssh take care of this for you? That is, have the hosts on the other end only accept certain users? > For authentication, a username/pass will do for now, but > later I'd like to expand it to some kind of one time card. Some kind of > transparent secure file transfer would also be great. Why not use the ssh-agent forwarding to do this? > Now, here's what I am interested in knowing. What would be a simple and > secure way to implement this. (I was thinking of perl) What sort of > things should I be wary of when setting this up? Is this even > advisable? It would not be too difficult to implement this. Perl? Heck, I'd just use a shell script. There really are not enough details to know what you should be wary of: How many users? Does each have an account on the gateway (or do you want them to use some common access acount)? Are the users "trusted" (if they are, heck, give 'em a shell to type in the 'ssh internal-host' on their own)? If not, just how closely do you need to watch these people? Is it advisable? Well, if the internal network is NATed, this is advisable since it is about the only way to get in there. If it is not NATed, this may be more work (and uses some more resources) than just poking some holes in a firewall to let these people in to certain machines. But still, if these people do not have fixed IPs, then the firewall might need to be opened a bit wider than you are comfortable with to let them in. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909251858.OAA39078>