Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: SSH Through Remote Firewall with Public Key Authentication

  1. #1
    Join Date
    Nov 2008
    Posts
    2,194
    Blog Entries
    1

    Default SSH Through Remote Firewall with Public Key Authentication

    I am using Leap 42.3 with KDE desktop and trying to tighten security on a remote device which I presently can access using public key authentication. In other words all is OK from my Leap 42.3 machine at present.
    I now wish to make the remote device (RaspberryPi) more secure using ufw.

    I have installed ufw on the remote machine and opened port 22 and allowed tcp/udp protocols but I now can no longer access from Leap 42.3.

    Displaying my ignorance once again but having read many threads I still do not know what rules I have to create on the remote machine to get this to work. If anybody has time and patience to give me assistance it would be greatly appreciated. Once I have the basics working I want to limit access either to individual machines or one subnet but first I need to get simple connection going once more.
    Budge.

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    32,339
    Blog Entries
    15

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    On Sun 01 Apr 2018 05:46:01 PM CDT, Budgie2 wrote:

    I am using Leap 42.3 with KDE desktop and trying to tighten security on
    a remote device which I presently can access using public key
    authentication. In other words all is OK from my Leap 42.3 machine at
    present.
    I now wish to make the remote device (RaspberryPi) more secure using
    ufw.

    I have installed ufw on the remote machine and opened port 22 and
    allowed tcp/udp protocols but I now can no longer access from Leap 42.3.


    Displaying my ignorance once again but having read many threads I still
    do not know what rules I have to create on the remote machine to get
    this to work. If anybody has time and patience to give me assistance it
    would be greatly appreciated. Once I have the basics working I want to
    limit access either to individual machines or one subnet but first I
    need to get simple connection going once more.
    Budge.


    Hi
    To start off with change it away from the standard port.... How is ufw
    different from using SuSEfirewall... it's just a frontend to iptables?

    Maybe the rules you implemented where not (re)loaded?

    You could even setup a cronjob to swap around the ssh ports at different
    times...

    I would suggest looking at multi-factor authentication for ssh
    instead...

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE Leap 42.3|GNOME 3.20.2|4.4.120-45-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    There many ways to authenticate to a firewall, but I've never heard of using any kind of key authentication. At best, I know how to do this indirectly by setting up network authentication like LDAP and then associating keys with that network User Account.

    You say you set up ufw as your LAN firewall?
    What guide did you use to set up your firewall and its authentication methods?

    Perhaps if you can post that info, the next step can be taken to understand what is required client-side.

    If you're talking about using SSH using key authentication, that's another story... and well known since in that case the Firewall simply forwards packets and the authentication is exclusively done on the SSH client and server as though the firewall isn't there.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4
    Join Date
    Nov 2008
    Posts
    2,194
    Blog Entries
    1

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    Quote Originally Posted by malcolmlewis View Post
    Hi
    To start off with change it away from the standard port.... How is ufw
    different from using SuSEfirewall... it's just a frontend to iptables?

    Maybe the rules you implemented where not (re)loaded?

    You could even setup a cronjob to swap around the ssh ports at different
    times...

    I would suggest looking at multi-factor authentication for ssh
    instead...

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE Leap 42.3|GNOME 3.20.2|4.4.120-45-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

    Hi Malcolm,
    Sorry I didn't make it clear, my Leap42.3 installation has standard firewall and it is set up normally and is not an issue here. This machine and the remote RPi device are both on the same lan subnet and sit behind a firewall.

    It is the local firewall on the remote device I am trying to set up. I use SSH login using key authentication as mentioned by Tsu and it is this that no longer works when ufw is running on RPi.
    I have no knowledge of multi-factor authentication and hopefully will be able to go into the techniques you raise but first I would like to get the basics working between my Leap 42.3 machine and the RPi.
    Many thanks once more for your reply,
    Budge

  5. #5
    Join Date
    Nov 2008
    Posts
    2,194
    Blog Entries
    1

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    Quote Originally Posted by tsu2 View Post
    There many ways to authenticate to a firewall, but I've never heard of using any kind of key authentication. At best, I know how to do this indirectly by setting up network authentication like LDAP and then associating keys with that network User Account.

    You say you set up ufw as your LAN firewall?
    What guide did you use to set up your firewall and its authentication methods?

    Perhaps if you can post that info, the next step can be taken to understand what is required client-side.

    If you're talking about using SSH using key authentication, that's another story... and well known since in that case the Firewall simply forwards packets and the authentication is exclusively done on the SSH client and server as though the firewall isn't there.

    TSU
    Hi Tsu, many thanks. Sorry I didn't make my problem clear. What I am trying to do is set up firewall on remote device so key authentication from my main machine will work. The way you put it it would appear what I must do is set up firewall to forward the necessary packets so the ssh process works. Grateful for help on this please to move me forward.

    Once I have all this mastered I need to progress to hardening RPi to enable me to expose it to the wan but one step at a time and only after present setup is working!!!
    Budge

  6. #6
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    32,339
    Blog Entries
    15

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    Quote Originally Posted by Budgie2 View Post
    Hi Malcolm,
    Sorry I didn't make it clear, my Leap42.3 installation has standard firewall and it is set up normally and is not an issue here. This machine and the remote RPi device are both on the same lan subnet and sit behind a firewall.

    It is the local firewall on the remote device I am trying to set up. I use SSH login using key authentication as mentioned by Tsu and it is this that no longer works when ufw is running on RPi.
    I have no knowledge of multi-factor authentication and hopefully will be able to go into the techniques you raise but first I would like to get the basics working between my Leap 42.3 machine and the RPi.
    Many thanks once more for your reply,
    Budge
    Hi
    I understand, but why ufw and not just use YaST, both are frontends to iptables (the firewall)...?

    Or are you talking about port forwarding on the remote router/firewall to access the remote rpi perhaps?

    local machine <--> intenet <--> remote router [eg incoming port 10022] forward to port 22 on remote rpi ip address
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    At least for me,
    Your scenario is still unclear.

    Is the following description correct?

    The RPi is in a remote location behind a firewall.
    The RPi is running ufw on itself.
    The firewall "device" is unknown (You haven't described what it is)

    You are trying to connect through the firewall to your RPi.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    Nov 2008
    Posts
    2,194
    Blog Entries
    1

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    Quote Originally Posted by tsu2 View Post
    At least for me,
    Your scenario is still unclear.

    Is the following description correct?

    The RPi is in a remote location behind a firewall.
    The RPi is running ufw on itself.
    The firewall "device" is unknown (You haven't described what it is)

    You are trying to connect through the firewall to your RPi.

    TSU
    Hi Tsu,
    The RPi is on the subnet with no intervening device but is running ufw on itself. There is no separate firewall device other than at the wan connection router which has the dhcp server and controls the subnet.

    Leap 42.3 with "yast" firewall >lan subnet>RPi with ufw.

    The Leap42.3 machine is my main machine and used to access devices on the lan subnet. I have ssh working with key authentication to RPi when ufw is not active. I want to set up RPi ufw and still be able to access it from may main machine using ssh.

  9. #9
    Join Date
    Oct 2011
    Location
    Germany (Ore Mountains)
    Posts
    459

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    Can you post your firewall rules? That would help.
    You can get the currently running rules with:
    Code:
    iptables -S
    Hendrik

  10. #10
    Join Date
    Nov 2008
    Posts
    2,194
    Blog Entries
    1

    Default Re: SSH Through Remote Firewall with Public Key Authentication

    Quote Originally Posted by hendwolt View Post
    Can you post your firewall rules? That would help.
    You can get the currently running rules with:
    Code:
    iptables -S
    Hendrik
    Hi Hendrik,
    Here are the results of your command with firewall inactive:-

    Code:
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N ufw-after-forward
    -N ufw-after-input
    -N ufw-after-logging-forward
    -N ufw-after-logging-input
    -N ufw-after-logging-output
    -N ufw-after-output
    -N ufw-before-forward
    -N ufw-before-input
    -N ufw-before-logging-forward
    -N ufw-before-logging-input
    -N ufw-before-logging-output
    -N ufw-before-output
    -N ufw-reject-forward
    -N ufw-reject-input
    -N ufw-reject-output
    -N ufw-track-forward
    -N ufw-track-input
    -N ufw-track-output
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A FORWARD -j ufw-track-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    Strange but I thought I had opened port 22 but nothing is showing.
    Hope this helps.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •