Difference between revisions of "SSH Tunneling for CPRS"
m |
(Added a glossary link to CPRS~) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
It is reproduced here as it appeared on [http://groups-beta.google.com/group/Hardhats/t/e586004c6890f228?hl=en Hardhats@googlegroups.com]. 11/29/2006 9:11 PM | It is reproduced here as it appeared on [http://groups-beta.google.com/group/Hardhats/t/e586004c6890f228?hl=en Hardhats@googlegroups.com]. 11/29/2006 9:11 PM | ||
− | == [Hardhats] Tutorial on ssh tunneling with CPRS == | + | == [Hardhats] Tutorial on ssh tunneling with [[CPRS~|CPRS]] == |
It took me all day to figure this out, so I thought I would share. | It took me all day to figure this out, so I thought I would share. | ||
− | The goal here is to enable CPRS to work remotely by communicating over | + | The goal here is to enable [[CPRS~|CPRS]] to work remotely by communicating over |
the public internet when the target VistA linux server only exposes | the public internet when the target VistA linux server only exposes | ||
port 22 (ssh). The channel needs to be (and is) encrypted of course. | port 22 (ssh). The channel needs to be (and is) encrypted of course. | ||
Line 33: | Line 33: | ||
restricted shell: | restricted shell: | ||
− | chsh -s /usr/bin/rbash remoteaccess | + | #chsh -s /usr/bin/rbash remoteaccess |
+ | |||
+ | (Sometimes, e.g. Ubuntu, the shell is found at /bin/rbash.) | ||
+ | Its location can be checked with: | ||
+ | $whereis rbash | ||
Next, edit the .bashrc file for remoteaccess as follows: | Next, edit the .bashrc file for remoteaccess as follows: | ||
Line 47: | Line 51: | ||
---- | ---- | ||
You are now done setting things up on the linux side. Now we proceed | You are now done setting things up on the linux side. Now we proceed | ||
− | with the Windows client which runs CPRS: | + | with the Windows client which runs [[CPRS~|CPRS]]: |
---- | ---- | ||
1) Obtain plink.exe from the web. Its essentially a command line | 1) Obtain plink.exe from the web. Its essentially a command line | ||
Line 61: | Line 65: | ||
plink.exe -N -ssh -l remoteaccess -pw remotepw -L | plink.exe -N -ssh -l remoteaccess -pw remotepw -L | ||
9000:local-ip-of-linux-server:9000 remote-ip-of-linuxserver | 9000:local-ip-of-linux-server:9000 remote-ip-of-linuxserver | ||
+ | |||
+ | (local-ip-of-linux-server will normaly be 127.0.0.1) | ||
Configure the shortcut to run minimized. | Configure the shortcut to run minimized. | ||
Line 66: | Line 72: | ||
3) Create the following second shortcut on your desktop: | 3) Create the following second shortcut on your desktop: | ||
− | + | [[CPRS~|CPRS]]Chart.exe S=localhost P=9000 CCOW=DISABLE | |
To get this work, simply start the 1st shortcut and leave it running | To get this work, simply start the 1st shortcut and leave it running | ||
minimized on your taskbar for the duration of the time in which you | minimized on your taskbar for the duration of the time in which you | ||
− | will be using CPRS. Then click on the second shortcut to start CPRS. | + | will be using [[CPRS~|CPRS]]. Then click on the second shortcut to start [[CPRS~|CPRS]]. |
− | All communication between CPRS and the server should then occur over | + | All communication between [[CPRS~|CPRS]] and the server should then occur over |
the encrypted connection established by plink on port 22. | the encrypted connection established by plink on port 22. | ||
Line 80: | Line 86: | ||
Marc | Marc | ||
+ | |||
+ | reference: | ||
+ | [http://gentoo-wiki.com/TIP_SSH_Reverse_Tunnel http://gentoo-wiki.com/TIP_SSH_Reverse_Tunnel] | ||
--[[User:JohnLeoZ|gra'pa Z]] 20:57, 1 Dec 2006 (CST) | --[[User:JohnLeoZ|gra'pa Z]] 20:57, 1 Dec 2006 (CST) |
Latest revision as of 22:56, 9 August 2012
Marc Krawitz contributed this tutorial to Hardhats. It is reproduced here as it appeared on Hardhats@googlegroups.com. 11/29/2006 9:11 PM
[Hardhats] Tutorial on ssh tunneling with CPRS
It took me all day to figure this out, so I thought I would share. The goal here is to enable CPRS to work remotely by communicating over the public internet when the target VistA linux server only exposes port 22 (ssh). The channel needs to be (and is) encrypted of course.
To do this, make the following changes to /etc/ssh/sshd_config on your linux server:
AllowTcpForwarding yes GatewayPorts yes TCPKeepAlive yes ClientAliveInterval 10 ClientAliveCountMax 99999
Restart sshd:
/etc/init.d/sshd restart
Next, create a dedicated linux account with username 'remoteaccess'. This account will be used to handle the ssh connections. In this example, I will use an example password of remotepw. For security purposes, change the shell of 'remoteaccess' to rbash which is a restricted shell:
#chsh -s /usr/bin/rbash remoteaccess
(Sometimes, e.g. Ubuntu, the shell is found at /bin/rbash.) Its location can be checked with:
$whereis rbash
Next, edit the .bashrc file for remoteaccess as follows:
trap exit SIGINT SIGTERM SIGQUIT SIGHUP stty susp \000 echo "For remote access to VistA only..." while [ true ] do sleep 60000000 done
You are now done setting things up on the linux side. Now we proceed with the Windows client which runs CPRS:
1) Obtain plink.exe from the web. Its essentially a command line version of putty.
2) Create the following shortcut on your desktop. This assumes you have your RPC broker on linux listening on port 9000. Change as needed. local-ip-of-linux-server is the internal ip address of the linux server on the network in which it resides. remote-ip-of-linuxserver is the ip address used to access it on the public internet.
plink.exe -N -ssh -l remoteaccess -pw remotepw -L 9000:local-ip-of-linux-server:9000 remote-ip-of-linuxserver
(local-ip-of-linux-server will normaly be 127.0.0.1)
Configure the shortcut to run minimized.
3) Create the following second shortcut on your desktop:
CPRSChart.exe S=localhost P=9000 CCOW=DISABLE
To get this work, simply start the 1st shortcut and leave it running minimized on your taskbar for the duration of the time in which you will be using CPRS. Then click on the second shortcut to start CPRS. All communication between CPRS and the server should then occur over the encrypted connection established by plink on port 22.
If anyone has suggestions for improvement, feel free to comment. Also, please review for security holes.
Thanks,
Marc
reference: http://gentoo-wiki.com/TIP_SSH_Reverse_Tunnel
--gra'pa Z 20:57, 1 Dec 2006 (CST)