自宅のコンピュータへのSSH


21

自宅にSSHとVNCを使用して学校からアクセスしたいマシンが複数あります。そのために静的IPを提供しました:

  • 192.168.1.50:Windows
  • 192.168.1.51:Ubuntu
  • 192.168.1.52:Raspberry Pi / Raspbian

SSHはポート22を使用しているので、このポートをルーターの192.168.1.51:22に転送できますが、この方法では、Raspberry PiにSSHで接続できません。両方のマシンにアクセスできるように設定する方法はありますか?

32

If you have IPv6, you don't even need port forwarding! Simply get your permanent IPv6 address (based on your MAC address, so it's guaranteed to stay the same unless your ISP doesn't know how IPv6 works) and use this to tunnel in. As your IPv6 address is public-facing and allows the world to access you without having to go through your local NAT, you don't need to bother enabling port-forwarding anywhere. It will "just work."

Note, however, that IPv6 is still not really supported globally, and both your home internet connection and remote internet connection need to have fully-working IPv6 in order to do this.

However, if you're like most people and only have IPv4, there's still a way! Some routers allow you to forward specific source ports to specific destination ports, like so:

enter image description here

In this example, port 22 is passed directly to my machine sheepdog, while port 292 is being forwarded to port 22 on coyote.

Lastly, if your router does not have this feature, you can just change the port, as SSH is not limited to just running on port 22. You can set it to anything you want (that's not being used).

In /etc/ssh/sshd_config (you need root to edit, so sudo nano /etc/ssh/sshd_config), there is a line at the top of the file:

# What ports, IPs and protocols we listen for
Port 22

Change this to whatever you want:

# What ports, IPs and protocols we listen for
Port 2992

Restart the SSH server with sudo service ssh restart, and forward the port on the router.


However, for this use case, I would consider if SSH tunnels are the right thing to do. Perhaps you should set up a dedicated VPN server on your home network? This will allow you to access your entire home network from anywhere, provided you have the proper security credentials needed by the VPN. Additionally, there is slightly less overhead with a VPN; you'd typically only need to forward one port for one machine.


19

An easy way to solve this problem is to map different ports from your router to the port 22 of your machines. For example, you can have the following settings in your router (assuming your router has IP 1.2.3.4)

1. 1.2.3.4:22   --> ubuntu:22
2. 1.2.3.4:8888 --> raspberrypi:22
3. 1.2.3.4:9999 --> windows:22 (or some other port)

Then when you use ssh, specify the port you want to use by typing

$ ssh <username>@<router ip> -p <your port>

Now you should be able to connect to all your machines.


3

Was doubting whether this would fit better as a comment rather than an answer, but I'll post it here anyway.

Some things you should think about before doing this:

  1. You'll open up your systems to the internet, so you'd better make sure they're well-patched and your security configuration is hardened (e.g. don't allow root login and use pubkeys instead of passwords).
  2. Your public IP (see whatismyip.com) can change, depending on your ISP it could change daily or almost never. This means that you'll have to find a way of figuring out your public IP. You could visit whatismyip.com from your home network daily, create some app, or use Dynamic DNS (DynDNS) to map your changing public IP to a static domain name.
  3. If you want to use IPv6 to bypass all the hassle related to IPv4 and NATing, you'll need your devices, router, ISP, ... to talk IPv6 as well. There are some services that can help you when your ISP doesn't support IPv6, but your devices and router will have to talk it anyway.
  4. The more ports and devices you open to the internet, the bigger your attack area becomes. I would suggest using a jump-box in your network, and only allowing SSH access to that device from the internet. The jump-box would basically be one very hardened system that you port-forward over your router to the internet. Once connected to that box, you'll be able to SSH to your internal network through it. The jump-box could basically be another Raspberry Pi. I would suggest using a dedicated device, to be able to harden it as much as possible (amongst others by running as few services as possible).
  5. (4a) Instead of having a jump-box you SSH into, you could also set up a VPN-server which allows you to browse your home network from your device at school (if outbound VPN connections are allowed).

11

If you know one of your computer is always up, you also have the possibility to use it as an ssh proxy.

let's say your have a domain name setup for your external IP address (i.e myhome.dyndns.com or whatever), what you will do is connect on one computer (let's say raspberry is always up, and you forward the port from your router to it), the your ssh connections will be:

school --> (router, transparent here) --> raspberry --> ubuntu or windows

now, in your ~/.ssh/config at school, add the lines:

Host ubuntu 192.168.1.51
    Hostname ubuntu (change to match your setup)
    User myraspberryuser  (change it ;-) )
    IdentityFile ~/.ssh/id_rsa   (The path to your private key, on the school computer, better on an usb key if public computer)
    ForwardAgent yes
    RequestTTY yes
    ProxyCommand ssh -W %h:%p %[email protected]

To connect then:

ssh-add ~/.ssh/id_rsa # to do only once per session
ssh [email protected] (login without password)

From now, if you type ssh ubuntu, the computer will first connect to the raspberry, and then start an ssh session to the ubuntu computer.

I recommend you, whatever the port you choose to forward, to disable password in /etc/sshd.conf to permit only login through ssh key. This way, if you setup the key on the raspberry and on ubuntu, with the parameter 'ForwardAgent', you will have to only unlock the key and then no password is required to connect. This way, even if bots are trying to login on your ssh, they will never be able to login since you disallow password logon.

Bonus, this works also with scp, scp foo ubuntu:/tmp/foo will use the same setup without further parameters. Bonus 2, this setup does not require any change at home, if tomorrow you and another computer, just copy/paste the code in your ssh config, change the host and ip, that's it, no need to open a new port on the router


4

I do this--I leave the rpi up and plugged directly into the router all the time (since it's the cheapest to run) and just ssh into it, then bounce from it to the others--it never needs much attention.

It's also possible to VNC/RDP a GUI over an ssh pipe, kinda fun, or forward a port that lets you browse to a server on your desktop computer while keeping it private.

The reason I added this answer is go give you some suggestions.

1) Use a different port than 22. You can leave it 22 on the PI, but change the incoming port on your router to something over 10,000... Otherwise you'll get dozens to hundreds of attacks a day--and once you're known to be running an SSH host the second an exploit is found, you're owned.

2) Use certificates instead of username/password--completely disable username/password login.

3) If your ip address can change, use a dyndns type service to get yourself a DNS hosthame (I use noip, it's free and they support a Linux client to update your ip address--I think you can just apt-get it on the pi now). There are still a few other companies that offer this for free.

4) Keep your pi (or whatever you ssh into) up to date (sudo apt-get update). I believe ssh is pretty well vetted by now, but I also believed that of https...