SSH over SSL

Client Stunnel Config

Install stunnel

# sudo yum install -y stunnel

Certificates

The certificates have already been created in previous section.

Only create client1.pem to package client crt and key into pem and attach ths pem into Stunnel config to make Stunnel initiate ssl with HAProxy using client1.pem.

$ cd /home/cloud/certs/client1

$ cat cient1.crt client1.key > client1.pem

$ chmod 400 client1.pem

Configure stunnel to tunnel 22 (ssh) to 8088 (https):

Create config file to meet the needs of using SSH over SSL.

vi /etc/stunnel/stunnel.conf

Write these:

pid = /stunnel.pid

client=yes

fips=no

foreground=yes

cert = /home/cloud/certs/client1/client1.pem

chroot = /var/run/stunnel

setuid = nobody

setgid = nobody

output = stunnel.log

[ssh]

accept = 127.0.0.1:8088

connect = 1.0.0.5:443

Start Stunnel

$ sudo stunnel /etc/stunnel/stunnel.conf

LOG5[8088:140150046664640]: stunnel 4.29 on x86_64-redhat-linux-gnu with OpenSSL 1.0.1e-fips

LOG5[8088:140150046664640]: Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP

LOG5[8088:140150046664640]: 500 clients allowed

$ ps -aux | grep stunnel

Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ

root 8086 0.0 0.1 189704 3356 pts/0 S+ 12:14 0:00 sudo stunnel /etc/stunnel/stunnel.conf

nobody 8088 0.0 0.1 109240 3356 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf

nobody 8089 0.0 0.0 43636 1068 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf

nobody 8090 0.0 0.0 43636 856 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf

nobody 8091 0.0 0.0 43636 856 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf

nobody 8092 0.0 0.0 43636 856 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf

nobody 8093 0.0 0.0 43636 856 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf

Test the SSH over SSL

The SSH connection from client is getting created randomly with both backend servers, via HAProxy.

$ ssh -p 8088 localhost

The authenticity of host '[localhost]:8088 ([127.0.0.1]:8088)' can't be established.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '[localhost]:8088' (RSA) to the list of known hosts.

cloud@localhost's password:

[cloud@CentOS66x64-Unused ~]$ ifconfig

inet addr:1.0.0.1 Bcast:1.0.0.255 Mask:255.255.255.0

Stunnel Logs on Console

LOG5[8088:140150046660352]: ssh accepted connection from 127.0.0.1:48413

LOG5[8088:140150046660352]: connect_blocking: connected 1.0.0.5:443 <----- HAProxy

LOG5[8088:140150046660352]: ssh connected remote server from 1.0.0.6:41178 <---- client

LOG5[8088:140150046660352]: Connection closed: 2765 bytes sent to SSL, 4213 bytes sent to socket