Remotely access an intranet server through a proxy via an SSH tunnel from a shared terminal over the web
Most software companies use their own internal network or intranet, where all there computers are connected. Usually, a few among those machines are given access from the internet. But what if it is required to access to a computer on this network that is not reachable from the internet?
Consider the network topology presented in Figure-1. The proxy server here is accessible over the internet. Other servers on the network are connected to the proxy server, but not directly reachable from the internet. If some client computers try to connect to the any of the target server, the connection has to go via the proxy server. Lets find if there is any way to do that using the current technology available on the internet.
Tools that we will need
To do this experiment, we need these tools:
- TTYD (a simple command-line tool for sharing terminal over the web)
- OpenSSH Server
- Docker
How to do it
First you have to enable the ssh
on all of the target and proxy servers, if it is already not available.
On Ubuntu:
apt install openssh-server
Now generate SSH key-pairs using:
ssh-keygen -t rsa -C "<your email address>"
You will be prompt to enter the location of.ssh
folder and a password for the private key. Just pressEnter
to use default configs in both times.
Next, setup Docker on the proxy server.
On Ubuntu:
apt install docker-ce
Run the ttyd server using docker on proxy server.
docker run -itd --rm -p 7681:7681 tsl0922/ttyd
From your client computer, now you can access the ttyd terminal. Open the browser and enter the proxy server’s host address and 7681
as the port. You should see the terminal that is running inside the docker container on the proxy server.
Now we need to setup the web-terminal a little bit to get what we want.
Setting up web-terminal
- Do an
apt update
on the terminal. apt install nano openssh-server
to necessary packages.- Now generate the key-pairs using:
ssh-keygen -t rsa -C "<your email address>"
- To enable one way SSH tunnel to the target servers using the proxy server as a medium, you have to add a
config
file inside the.ssh
folder. - Open the config file in edit mode:
nano ~/.ssh/config
- Now add the following text and press
Ctrl+X
and theny
to save the file.
- Now access the target computer using:
ssh <target_a_username>@targetA
- To access Target B :
ssh <target_b_username>@targetB
Security
The web-terminal can be accessed from anywhere. How can it be secure? Well, every docker container is isolated from the host computer. So the web-terminal has no access to anything from the host-server. Even if you use the host server as the proxy, you will have to enter the password to access it via SSH.
There is only one tiny problem. That is anyone with the IP and port address of you terminal have access to it. You might not want to give access to even the dockerized terminal to just anybody.
Fortunately there is a way. You just have to pass the credentials when running docker container like this:
docker run -itd --rm -p 7681:7681 tsl0922/ttyd ttyd -c "<username>:<password>" bash
Now you will be prompt to enter the username and password whenever you access the web terminal.
Why use Web Terminal?
It is entirely possible to setup the client computers to use SSH tunnel directly, without using a web terminal. But there are several benefits in using a web terminal, e.g.:
- It gives you instant access. No need to setup every client computers!
- You can access from any PC with an internet connection and a Web Browser. Imagine, when you need to update something quickly in the server from a friends PC.
- It can be managed by an authority to add new servers or remove obsolete ones. You do not have to manually reconfigure SSH to all client computers whenever there are changes in the intranet.
Don’t forget to clap if you find this article useful!