Generate the access keys via, for example, the following command:
ssh-keygen -t ecdsa -b 521It will provide two files with the private key and public key.
In the client computer's "~/.ssh/config" file, can use as following for the OpenSSH configuration:
Host funny.com User warrawan IdentityFile ~/path/keys/id_ecdsa Port 12391
The public key generated as instructed above must be located in the server's "/etc/ssh/users" directory with the special set of file permissions.
"/etc/ssh/users" owned by root, rwxr-xr-x.
"/etc/ssh/users/username" owned by root, rwxr-xr-x.
"/etc/ssh/users/username/id_ecdsa.pub" owned by the target user "username", rw-r--r--.
Edit "/etc/ssh/sshd_config" to allow only needed users, change the server's port, and make sure to have the following options:
AuthorizedKeysFile /etc/ssh/users/%u/id_ecdsa.pub AuthenticationMethods publickey PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin prohibit-password
Make the SSH server start on boot, and start it now (for OpenBSD):
rcctl enable sshd rcctl start sshd
Check the SSH server is running:
ps -A | grep 'ssh'Check the listening network ports:
Use the following commands if you want to display the SSH server public key fingerprint:
ssh-keygen -l ssh-keygen -l -E md5
In the given example server "funny.com" (gateway front-end, with user "warrawan") with OpenSSH server listening on the TCP port 12391 will be requested to start a SOCKS proxy listening to TCP port 12362 and tunnel it to the back-end.
Network resources available to the back-end will be accessible through the SOCKS proxy to everybody that can connect to "funny.com".
Set a service for the back-end's file "/etc/systemd/system/ssh_gateway_init.service" (for GNU/Linux/systemd):
[Unit] Description=Initiate an OpenSSH connection. After=network.target [Service] ExecStart=/usr/bin/ssh -NT -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -R 12362 -p 12391 firstname.lastname@example.org # Restart every >2 seconds to avoid StartLimitInterval failure RestartSec=5 Restart=always [Install] WantedBy=multi-user.targetEnable and start the service:
sysctl enable ssh_gateway_init.service sysctl start ssh_gateway_init.service
Set up OpenSSH server on the front-end computer (described above).
Beware of security settings and enable the gateway feature in "/etc/ssh/sshd_config":
Linux(R) is registered trademark of Linus Torvalds in the United States and other countries.