[ssh] tunneling 예제

ssh tunning을 통해 내부 망에서 외부 망으로 연결할 수 있다. 관련 예제를 소개한다.

A 서버에서 B 서버를 통해 외부 망으로 접근할 수 있도록 터널링하는 예제이다. -v는 내부 구조를 알기 위해..

$ ssh -v -L 61514:rsync.apache.org:873 deploy@tunnel.interal.google.io  -i /root/.ssh/repo

 

 OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014

debug1: Reading configuration data /root/.ssh/config

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

debug1: Connecting to tunnel.interal.google.io [1.1.1.1] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/repo type -1

debug1: identity file /root/.ssh/repo-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.2

debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 pat OpenSSH* compat 0x04000000

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none

debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA

debug1: Host 'tunnel.interal.google.io' is known and matches the ECDSA host key.

debug1: Found key in /root/.ssh/known_hosts:19

debug1: ssh_ecdsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug1: Next authentication method: gssapi-with-mic

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/tunnel

debug1: key_parse_private2: missing begin marker

debug1: read PEM private key done: type RSA

debug1: Authentication succeeded (publickey).

Authenticated to tunnel.interal.google.io ([1.1.1.1]:22).

debug1: Local connections to LOCALHOST:61514 forwarded to remote address rsync.apache.org:873

debug1: Local forwarding listening on 127.0.0.1 port 61514.

debug1: channel 0: new [port listener]

debug1: Local forwarding listening on ::1 port 61514.

bind: Cannot assign requested address

debug1: channel 1: new [client-session]

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-93-generic x86_64)

 * Documentation:  https://help.ubuntu.com

 * Management:     https://landscape.canonical.com

 * Support:        https://ubuntu.com/advantage

Last login: Thu Sep  7 23:49:54 2017

ps -ef로 보면 연결이 잘 되었다는 것을 확인할 수 있다. 

실제 소켓 단에서도 잘 연결되었는지 확인하려면 A 서버, B 서버에서 소켓을 확인한다.

A 서버에서 확인하기

$ netstat -anp

tcp        0      0 1.1.1.1:22      3.3.3.3:61518    ESTABLISHED -

B 서버에서 확인하기   

$ netstat -tpln

(No info could be read for "-p": geteuid()=1000 but you should be root.)

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.0.1:61514         0.0.0.0:*               LISTEN      -