Problem: Access multiple devices via SSH domain name through the server with 1 real IP. Is it possible?

Hi, habradi.

I ran into a problem and not know whether there is a solution for you. The bottom line is this.


There are several hundred devices (something like the sensor from the Linux OS on Board) that are connected to the Internet through a cellular network. All devices are connected by a tunnel to the server on the Internet, the server has 1 real IP. When connecting to the server the device is issued an internal IP and the name of the view deviceID.mydomain.com. Question. Is it possible in this situation to configure the server so that it is turning on ssh on the name redirected on the internal IP of the device? That is, that the ssh connection is established directly between the administrator's PC and the device.
October 3rd 19 at 04:20
11 answers
October 3rd 19 at 04:22
You will help IPv6. If realink static, 6to4, tunnel brokers otherwise and 6in4. You will be given a subnet, which will suffice for much more than hundreds of devices. And then prescribe AAAA records in DNS as You please.
You mean that all internal devices to give out v6 addresses? - morris.Hessel66 commented on October 3rd 19 at 04:25
Yes, of course. Here are a couple links to help:

version6.ru/6to4/howto
version6.ru/6to4/to-lan - Deon.Pacocha14 commented on October 3rd 19 at 04:28
Something I do not fully understand how this will work.
Suppose that all internal devices issued IPv6 addresses and made a record in DNS. Next PC v4 address recruiting ssh deviceID.mydomain.com and then what, who-that resolved, where is the stream? Can you briefly explain how the package PC admin comes to the device? - morris.Hessel66 commented on October 3rd 19 at 04:31
At the computer admin course must also be IPv6. Using 6to4 or 6in4 (tunnel broker). And then want domain contact, want a direct IPv6 devices. Only on the server don't forget to configure the firewall, so once the traffic to the sensors are not allowed. - Deon.Pacocha14 commented on October 3rd 19 at 04:34
Because the author of the mobile operator, and likely there is NAT, then you need to use teredo since 6to4 does not work in this case. I mean the sensors. On the computer of the administrator can be anything way to connect ipv6. - madyson16 commented on October 3rd 19 at 04:37
Because the author of the mobile operator, and likely there is NAT, then you need to use teredo since 6to4 does not work in this case. I mean the sensors. On the computer of the administrator can be anything way to connect ipv6.


The author of the tunnel from sensors to servers with realincome. Through it and can give the IPA from the subnet obtained via 6to4 this Realni. - Deon.Pacocha14 commented on October 3rd 19 at 04:40
So, just in case, and the device then do ipv6 know how? And then anything can happen... - Casper commented on October 3rd 19 at 04:43
October 3rd 19 at 04:24
as a variant — to look towards nginx with proxy_pass module
October 3rd 19 at 04:26
man iptables port forwarding ( or just Google iptables forwarding port ).
upd. this is the case if the device where to get, is your ssh server.
October 3rd 19 at 04:28
what bothers you to connect to a VPN and handle internal addresses?
So I'm proposing the same thing above. But said like something is unclear :) - morris.Hessel66 commented on October 3rd 19 at 04:31
October 3rd 19 at 04:30
Read here about the forwarding of the authorization.
Sorry — overlooked about domain names.
Domain name will not work:
On a server with real ip will come packages with a targetip = real ip. information about what DNS name the client got that ip will not.
View still in the direction of tunneling through the server with real ip. If it is critical to address by name — configure the client hosts to connect to different servers in the "gray" of the network. - morris.Hessel66 commented on October 3rd 19 at 04:33
Many thanks for the reference.
I understand that the option with the pipe just what you need. Maybe just tell me if you use this setting, you can refer to internal hosts about ssh deviceID.mydomain.com using any ssh client? - Deon.Pacocha14 commented on October 3rd 19 at 04:36
If it is critical to address by name — configure the client hosts to connect to different servers in the "gray" of the network.

Then I got excited in the Host section it will be possible to specify a command to execute on the remote host :( will Have to do or the alias commands in the Chalet or you can configure the connection in Putty

when you use this setting, you can refer to internal hosts about ssh deviceID.mydomain.com using any ssh client?

No. It will not work. You can make alias for ssh, like:
alias sshconnect='ssh-A <white ip or dns of the host white ip> ssh '


And use it:
sshconnect <host name or ip grey with grey ip>

And the hostname with "gray" ip it should be deployed on the host with "white" ip in the "gray" ip. And not necessarily be deployed on the client PC. - morris.Hessel66 commented on October 3rd 19 at 04:39
This version works for you? I also thought about it, but something like this:
$ ssh user@external "/usr/bin/ssh user@internal-123"
user@external''s password:
Pseudo-terminal will not be allocated because stdin is not a terminal.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
- Deon.Pacocha14 commented on October 3rd 19 at 04:42
I forgot the-t option.
Must be
ssh -t user@external "/usr/bin/ssh user@internal-123"
- madyson16 commented on October 3rd 19 at 04:45
October 3rd 19 at 04:32
Nothing is clear. What kind of tunnel? How is issued the IP and domain name? The device and the administrator's PC on the same LAN or not?
I will answer in order:
1. The GRE tunnel is encrypted so as not to Shine peredelanye data in the Internet. The tunnel between sensor and server on the Internet. The tunnel is initiated from the sensor, as it is for NATом mobile operator. The tunnel is kept active.
2. After the establishment of the tunnel in the DNS server creates an entry deviceID = IP internal. Now the IP are manually set when setting the sensor.
3. The device and the PC admins/operators are on different networks, but all have Internet access to the server. - morris.Hessel66 commented on October 3rd 19 at 04:35
Well, the answer to the question — does "directly" the connection cannot be established, in any case, everything goes through the server. Operators, too, gre connect, or just SSH? Where is DNS on the same server? - Deon.Pacocha14 commented on October 3rd 19 at 04:38
About "directly" I mean that you need only one session between PC admin and the sensor. The fact that it will pass through the server, it's not scary, it is important that the server has not carried out the termination of the ssh session.
The operator only access to the Internet (EDGE/3G). GRE do the devices themselves, there's Linux (which version exactly now I will not say).
DNS is now raised on the server. - morris.Hessel66 commented on October 3rd 19 at 04:41
Anything good does not occur. There is NAT, but there ports must be specified. There's a crutch serverfault.com/questions/329529/virtual-hosts-for-ssh - Deon.Pacocha14 commented on October 3rd 19 at 04:44
October 3rd 19 at 04:34
Right "as written", of course, can be done. There are commercial SSH, which can connect via server — to konchitsa to the gateway, and with him automatically to the host.

With OpenSSH you can do this: NAT and forwarding to different hosts on different ports, say, 22000 on one device, 22001 to another.
And ports don't remember the names to do different — to write in .ssh/config
Host: bla1
Port: 22100

Host: bla2
Port: 22101

and so on, and do bla1 and bla2 to make aliases of the same white address. Here you will be — bla1 ssh will be on port 22100 and propozitsia on one device, ssh bla2 — port 22001 and get to the second, but of course only on the PC, where config set up.

Better not do it.
As already mentioned, this option was considered, but while iscourse other options. - morris.Hessel66 commented on October 3rd 19 at 04:37
As I said, there is no "virtual hosting" in the SSH Protocol no "other options" in addition to the above impossible. Either the gateway ssh or nat. - Deon.Pacocha14 commented on October 3rd 19 at 04:40
October 3rd 19 at 04:36
You can do this through authorized_keys.

Set up a special user, his ~/.ssh/authorized_keys add the keys of all customers.
Next to each key, you can specify additional ssh options, including a command parameter that forces a command authorization for this key, the command make start your local ssh session.
The result is something like:
command="ssh 10.0.1.1" ssh-rsa AAA...A+p1 client1
command="ssh 10.0.1.2" ssh-rsa AAA...A+p1 client2
...


Then all clients just connect to the main server on its usual port.

With the authorization of inner devices, possible options, such as private keys to authorize them to lay out on the primary server and specify using the-i option in the command.
if required, password authentication can just gateway N users, each of which is to prescribe as a shell script, triggering further connection in the internal network - morris.Hessel66 commented on October 3rd 19 at 04:39
October 3rd 19 at 04:38
Tell me, is it possible to do so?
1. Admin PC makes a request ssh deviceID.mydomain.com. In response to the request is responsible only to my DNS server.
2. When responding to the DNS request the server looks at the field SRC IP and PORT and creates a temporary entry in the forwarding table.
SRC IP1 PORT1 DST IP SERVER PORT 22 => SRS IP1 PORT1 DST - IP HOST123 PORT 22
3. When there was a request from another PC, the request will have other value SRC IP and PORT, and consequently, it will have its own entry.
deviceID.mydomain.com = IP HOST123 - morris.Hessel66 commented on October 3rd 19 at 04:41
Share the substances too!

What with Your Bicycle if:
1. One client attempts to connect to two different hosts grey? Even in the queue?
2. Multiple clients will work with one ip (terminaling server/NAT/several different consoles)?

And Yes... I'm afraid You will have to write your own implementation of DNS servers. - Deon.Pacocha14 commented on October 3rd 19 at 04:44
Yes, I understand that science fantastici =) but udruga someone on an interesting idea will come across. - morris.Hessel66 commented on October 3rd 19 at 04:47
Well, still try to answer your questions for fun =)
1. Client podklets 2 host, i.e. makes a request to the deviceID1 and deviceID2, respectively, will be two different entries in the NAT translation.
2. There will not be different from the usual situation where one PC with multiple sessions open. Each session will have a unique SRC PORT. With the passage of the NAT, this value will be stored (usually) or naznachaetsya more unique.
With DNS do not have to be. It will be necessary to write a small module that will keep track of resolve and create/delete entries in the NAT translation. - Deon.Pacocha14 commented on October 3rd 19 at 04:50
No, your 1 and 2 will not work.

The client with IP1 is connected the first time you create the stream from IP1 to port 22-> dnat to IntIP1:22
When it connects the second time (and the first session is active), you will need to make the stream view from IP1 to port 22 -> dnat to IntIP2:22, which is impossible without removing the first. The DNS server making the broadcast, nothing is known about SRC-ports and especially which port the system selected for ustanovlennogo connection. In total, more than one session to one remote address can not be done.

Nonsense you come up with, really. - madyson16 commented on October 3rd 19 at 04:53
Yes, I agree. Smashed to smithereens. As they say, hope dies last.
Just as it is not haunted by the thought that no elegant solution for such problem =( here in the head every Abracadabra and climbs. - Deon.Pacocha14 commented on October 3rd 19 at 04:56
This decision did not elegantly, it is not a solution ;) - Casper commented on October 3rd 19 at 04:59
October 3rd 19 at 04:40
In my opinion the easiest to pick up on this vpn server, the admin connects via VPN to the server and comes easily to all addresses of the internal devices directly.
That's understandable. Simple and obvious solutions are clear and evident. I want to find a beautiful solution. Plus I did not mention this point, operators are initiating ssh session is users 3 firms and let them on our server do not want. Crap with sakumoto so much there that it's going to seem innocent prank. - morris.Hessel66 commented on October 3rd 19 at 04:43
just using a vpn You no matter which server they are not allowed, just send traffic to the target devices via the server. In any case it does.

But just as suggest above, with the keys on the server, etc., then Yes.

If devices was not so many (10-30), I'd just hung up the forwarding with different ports and made the config file as advised above, but since the devices are many, and most likely they will be added, vpn is the best idea.
Allow VPN users to only have access to the necessary hosts/networks, and the problem is solved. - Deon.Pacocha14 commented on October 3rd 19 at 04:46
Then I bother, so that everyone who connects has been able to create a VPN and to support those users. Among those who are connected not only has the staff (knowledgeable people), but many conventional operators (ordinary users), who on a piece of paper connects and performs stantartny action. - morris.Hessel66 commented on October 3rd 19 at 04:49
Why do You need someone to maintain it? wrote standard instructions for connecting to VPN for the main OS, and sent all the customers.
if people are connecting from the same organization(the network), the VPN admin configures them (not at them locally and on your equipment, and prescribe the routes). - Deon.Pacocha14 commented on October 3rd 19 at 04:52
October 3rd 19 at 04:42
You can, using iptables

Find more questions by tags System administrationSSH