Remote Assistance Based on ssh reverse proxy and ssh reverse assistance

Remote Assistance Based on ssh reverse proxy and ssh reverse assistance

This article describes how to implement remote assistance through ssh reverse proxy and provides relevant code.

After Remote Assistance is enabled on the web, maintenance personnel can log on to the customer's machine through ssh and http (including in the nat environment)

• After the web function is enabled, ssh can be logged on;
• Identify different machines;
• Nat;

Operating System: CentOS 6.5 _ x64

Development language: Python

Source Code address: https://github.com/mike-zhang/remoteHelper

The overall structure is as follows:

The main members are as follows:

• Customer

  Customer servers for purchasing company products

• Server B

  Company Public Network Server

• Technical support personnel C

  Employee computer

Port proxy

Port forwarding through ssh reverse proxy is described here.

SSH port proxy HTTP port proxy

Key Management RSA key management

Key Usage: the customer machine uses the RSA key to execute ssh reverse proxy on the local port

• Private Key Management

  Private Key Generation location: Customer Machine
  Private Key storage location: Customer Machine

  The private key is saved on the client and overwritten when a new key pair is generated.

• Public Key Management
  Public Key Generation location: Customer Machine
  Public Key storage location: Public Network Server

The public key addition process is as follows:
1. The public network server receives a message from the client containing the RSA public key;
2. Retrieve the customer serial number from the message;
3. Verify that the customer serial number is valid;
4. If the serial number is valid, add the RSA public key to the authorized_keys file and add timeout information after the public key string;

The Public Key deletion process is as follows:
1. Retrieve the public key from the authorized_keys file;
2. Determine whether the public key has timed out;
3. Delete the expired public key;

DSA Key Management

Key Usage:
Use this key to connect to the client after NAT through the stepping stone.

• Private Key Management
  Private Key Generation location: support Machine
  Private Key storage location: support Machine

• Public Key Management
  Public Key Generation location: Customer Machine
  Public Key storage location: Customer Machine

Private Key Generation Process:
1. Obtain the dynamic password displayed on the client page; 2. Generate the DSA private key using the dynamic password as seed (stored for ssh login to the client );

The public key addition process is as follows:
1. Generate a random dynamic password;
2. Generate the DSA public key using the dynamic password as seed;
3. Add the generated DSA Public key to the authorized_keys file (the command cannot be added before the key string; otherwise, the command cannot be executed) and set the timeout time;

Public Key deletion process:
1. Retrieve the public key from the authorized_keys file;
2. Determine whether the public key has timed out;
3. Delete the expired public key;

Connection Management IP address restrictions

Applicability: configured on a public network server to control the IP Address Source of the support server.

Provides configuration items to record allowed IP addresses;
When a new request arrives, verify that the original address is valid. If it is not a valid address, the connection is closed;

SSH connection management

• Customer-side ssh connection management
  The ssh command can be executed at the end. When the command execution is complete, ssh is disconnected.
  This feature allows you to call a python script at the end of an ssh command, call a python program, and execute the sleep operation. When the python program exits, the ssh connection is disconnected.

• Support-side ssh connection management
  If the client-side ssh is disconnected, the support-side ssh connection is also disconnected. The support-side ssh connection does not need to be managed too much. You only need to limit the connection duration on the client's authorized_keys.

Others

1. When the SSH reverse proxy is executed through commands, the server can only use 127.0.0.1

To solve this problem, you can use the server configuration to implement ssh listening for 0.0.0.0. The specific configuration is as follows:

GatewayPorts yes

2. commands related to remote accounts of public network servers

useradd remotechgrp remote /rootsu remotessh-keygen -t rsacd .ssh/    touch authorized_keyschmod 600 authorized_keys

 

Github address:

Bytes

Please add