Remote Assistance Based on ssh reverse proxy and ssh reverse assistance
This article describes how to implement remote assistance through ssh reverse proxy and provides relevant code.
After Remote Assistance is enabled on the web, maintenance personnel can log on to the customer's machine through ssh and http (including in the nat environment)
- After the web function is enabled, ssh can be logged on;
- Identify different machines;
- Nat;
Operating System: CentOS 6.5 _ x64
Development language: Python
Source Code address: https://github.com/mike-zhang/remoteHelper
The overall structure is as follows:
The main members are as follows:
Customer
Customer servers for purchasing company products
Server B
Company Public Network Server
Technical support personnel C
Employee computer
Port proxy
Port forwarding through ssh reverse proxy is described here.
SSH port proxy HTTP port proxy
Key Management RSA key management
Key Usage: the customer machine uses the RSA key to execute ssh reverse proxy on the local port
Private Key Management
Private Key Generation location: Customer Machine
Private Key storage location: Customer Machine
The private key is saved on the client and overwritten when a new key pair is generated.
Public Key Management
Public Key Generation location: Customer Machine
Public Key storage location: Public Network Server
The public key addition process is as follows:
1. The public network server receives a message from the client containing the RSA public key;
2. Retrieve the customer serial number from the message;
3. Verify that the customer serial number is valid;
4. If the serial number is valid, add the RSA public key to the authorized_keys file and add timeout information after the public key string;
The Public Key deletion process is as follows:
1. Retrieve the public key from the authorized_keys file;
2. Determine whether the public key has timed out;
3. Delete the expired public key;
DSA Key Management
Key Usage:
Use this key to connect to the client after NAT through the stepping stone.
Private Key Management
Private Key Generation location: support Machine
Private Key storage location: support Machine
Public Key Management
Public Key Generation location: Customer Machine
Public Key storage location: Customer Machine
Private Key Generation Process:
1. Obtain the dynamic password displayed on the client page; 2. Generate the DSA private key using the dynamic password as seed (stored for ssh login to the client );
The public key addition process is as follows:
1. Generate a random dynamic password;
2. Generate the DSA public key using the dynamic password as seed;
3. Add the generated DSA Public key to the authorized_keys file (the command cannot be added before the key string; otherwise, the command cannot be executed) and set the timeout time;
Public Key deletion process:
1. Retrieve the public key from the authorized_keys file;
2. Determine whether the public key has timed out;
3. Delete the expired public key;
Connection Management IP address restrictions
Applicability: configured on a public network server to control the IP Address Source of the support server.
Provides configuration items to record allowed IP addresses;
When a new request arrives, verify that the original address is valid. If it is not a valid address, the connection is closed;
SSH connection management
Customer-side ssh connection management
The ssh command can be executed at the end. When the command execution is complete, ssh is disconnected.
This feature allows you to call a python script at the end of an ssh command, call a python program, and execute the sleep operation. When the python program exits, the ssh connection is disconnected.
Support-side ssh connection management
If the client-side ssh is disconnected, the support-side ssh connection is also disconnected. The support-side ssh connection does not need to be managed too much. You only need to limit the connection duration on the client's authorized_keys.
Others
1. When the SSH reverse proxy is executed through commands, the server can only use 127.0.0.1
To solve this problem, you can use the server configuration to implement ssh listening for 0.0.0.0. The specific configuration is as follows:
GatewayPorts yes
2. commands related to remote accounts of public network servers
useradd remotechgrp remote /rootsu remotessh-keygen -t rsacd .ssh/ touch authorized_keyschmod 600 authorized_keys
Github address:
Bytes
Please add