Difference between revisions of "SSH Tunneling for CPRS"

From VistApedia
Jump to: navigation, search
m
m
Line 8: Line 8:
 
the public internet when the target VistA linux server only exposes
 
the public internet when the target VistA linux server only exposes
 
port 22 (ssh).  The channel needs to be (and is) encrypted of course.
 
port 22 (ssh).  The channel needs to be (and is) encrypted of course.
 +
 +
----
  
 
To do this, make the following changes to /etc/ssh/sshd_config on your
 
To do this, make the following changes to /etc/ssh/sshd_config on your
Line 21: Line 23:
  
 
  /etc/init.d/sshd restart
 
  /etc/init.d/sshd restart
 +
 +
----
  
 
Next, create a dedicated linux account with username 'remoteaccess'.
 
Next, create a dedicated linux account with username 'remoteaccess'.
Line 39: Line 43:
 
         sleep 60000000
 
         sleep 60000000
 
  done
 
  done
 +
 +
----
 +
----
  
 
You are now done setting things up on the linux side.  Now we proceed
 
You are now done setting things up on the linux side.  Now we proceed

Revision as of 02:53, 2 December 2006

Marc Krawitz contributed this tutorial to Hardhats 11/29/2006. It is reproduced here as it appears on Hardhats@googlegroups.com.

[Hardhats] Tutorial on ssh tunneling with CPRS

It took me all day to figure this out, so I thought I would share. The goal here is to enable CPRS to work remotely by communicating over the public internet when the target VistA linux server only exposes port 22 (ssh). The channel needs to be (and is) encrypted of course.


To do this, make the following changes to /etc/ssh/sshd_config on your linux server:

AllowTcpForwarding yes
GatewayPorts yes
TCPKeepAlive yes
ClientAliveInterval 10
ClientAliveCountMax 99999

Restart sshd:

/etc/init.d/sshd restart

Next, create a dedicated linux account with username 'remoteaccess'. This account will be used to handle the ssh connections. In this example, I will use an example password of remotepw. For security purposes, change the shell of 'remoteaccess' to rbash which is a restricted shell:

chsh -s /usr/bin/rbash remoteaccess

Next, edit the .bashrc file for remoteaccess as follows:

trap exit SIGINT SIGTERM SIGQUIT SIGHUP
stty susp \000
echo "For remote access to VistA only..."
while [ true ]
do
       sleep 60000000
done


You are now done setting things up on the linux side. Now we proceed with the Windows client which runs CPRS:

1) Obtain plink.exe from the web. Its essentially a command line version of putty.

2) Create the following shortcut on your desktop. This assumes you have your RPC broker on linux listening on port 9000. Change as needed. local-ip-of-linux-server is the internal ip address of the linux server on the network in which it resides. remote-ip-of-linuxserver is the ip address used to access it on the public internet.

plink.exe -N -ssh -l remoteaccess -pw remotepw -L
9000:local-ip-of-linux-server:9000 remote-ip-of-linuxserver

Configure the shortcut to run minimized.

3) Create the following second shortcut on your desktop:

CPRSChart.exe S=localhost P=9000 CCOW=DISABLE

To get this work, simply start the 1st shortcut and leave it running minimized on your taskbar for the duration of the time in which you will be using CPRS. Then click on the second shortcut to start CPRS. All communication between CPRS and the server should then occur over the encrypted connection established by plink on port 22.

If anyone has suggestions for improvement, feel free to comment. Also, please review for security holes.

Thanks,

Marc