Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Turning off SSH port-forwarding #474

Closed
hosh opened this issue Aug 21, 2011 · 13 comments

Comments

@hosh
Copy link

commented Aug 21, 2011

I'm looking around for a way to turn off SSH port-forwarding. I think ssh port forwarding should not be turned on by default. Please advise.

@mitchellh

This comment has been minimized.

Copy link
Member

commented Aug 21, 2011

If SSH port forwarding is not on, then you cannot SSH to your machine in any way, which makes your machine relatively useless. :) Things that don't work when SSH is not turned on:

  • Provisioning of any sort
  • Host only networks
  • NFS
  • Shared folders of any sort
  • Setting hostnames
  • Graceful shutdown/reboot

Basically everything :)

@mitchellh mitchellh closed this Aug 21, 2011

@hosh

This comment has been minimized.

Copy link
Author

commented Aug 21, 2011

Right. So why are we shelling in through the NAT port instead of through a private network?

@mitchellh

This comment has been minimized.

Copy link
Member

commented Aug 25, 2011

Valid point!

The reason it is done through NAT currently is because when Vagrant was first created, forwarded ports were the only things that were available. The better solution would be to provide SSH via a host only network, but enabling a host only network is actually guest-OS specific (since you need to modify the ifconfig to be aware of it before apps can listen on that interface).

I'm no networking guru by any means. I'm actually a big noob about it, so I'd greatly appreciate anything if I'm missing something.

@hosh

This comment has been minimized.

Copy link
Author

commented Aug 25, 2011

I'm going try some of my ideas on a fork and experiment with it; then if I'm happy with it, I can send you a pull request and you can take a look.

Keep in mind that we can have base box creators always use DHCP for eth0, then simply dictate the "control" ssh as host-only. Since the gems know how to create second adapters, it can always create eth1 that NAT or bridges out. In this way, vagrant instances are always private by default. The downside is that it will not be backwards compatible with existing boxes.

I'm thinking of these changes:

(1) Change the data structure holding the port forwarding to a generic hash, { :host => "", :port => 0, :type => "port-forward" } I say data structure, but I keep forgetting that vagrant runs once, executes the commands, then quits. I think most of the code in HEAD already does this.

(2) Add a cascading ssh connection strategy. So Vagrant can ship with say, wherever the global configuration file is, something like

ssh_strategies = [ :port_forward, :host_only_network ]
default_host_only_network = "33.33.33.1"

So it can work backwards-compatible with how people have it set up. Then I can change it on my personal box so that it creates the SSH connections using hosted_network with whatever global host network I want to use.

@hosh

This comment has been minimized.

Copy link
Author

commented Aug 25, 2011

Ok I see what you mean by OS specific. VirtualBox doesn't know the IP address used by the VM. The only other thing that knows the IP address is the DHCP.

Do you know if VirtualBox exports the lease data? Maybe we can match host IP through MAC addresses.

@hosh

This comment has been minimized.

Copy link
Author

commented Aug 25, 2011

Bah, I started poking around VirtualBox. I don't find any C API calls to get to the lease database inside the DHCP server. The C++ class has everything needed though, including a method for looking up leases by MAC address. So unless you know a clever way to get to that information, looks like I'm going to try a different strategy.

If I can't look it up, then I'll just have to manage it myself. Use a central database tracking adapter uuid -> ip addresses and explicitly declare them in the configuration. Since this will probably require external dependencies, turn this into a plugin. I'd still need a way to turn off the port-forwarding though so it can go to an explicit IP/port connection.

An alternative to that is to add a event hook for port-forwarding calls, then add code in my personal config to use host-specific commands to manipulate the firewall (drop all packet going to forwarded port unless it comes from 127.0.0.1). This last one might be the one I go for since it sounds like it will take the least effort.

@mitchellh

This comment has been minimized.

Copy link
Member

commented Aug 28, 2011

You're right, doesn't look like there is a way to do this at the moment from the VirtualBox API. You're welcome to create a ticket for VirtualBox. If they do implement this then I'll gladly implement it.

@hosh

This comment has been minimized.

Copy link
Author

commented Aug 28, 2011

I suggest a warning in the main Vagrant documentation, recommending users turn on their firewall. I'll see if the VirtualBox guys are interested in exposing the DHCP leases.

@rrotter

This comment has been minimized.

Copy link

commented Oct 2, 2012

Any movement on this?

@jeromebaum

This comment has been minimized.

Copy link

commented Oct 13, 2012

This definitely needs at last a giant warning in the documentation. With the insecure SSH key (that could be automatically replaced, mind you), this is a big security leak when the firewall isn't on. Most devs would have it on, but why take the risk?

@jeromebaum

This comment has been minimized.

Copy link

commented Oct 13, 2012

So I see three options that would be realistic:

  1. Set up port forwarding, then SSH in and change the network settings to some secondary adapter (or transfer the IP info or something like that) and disable port forwarding again.
  2. SSH in right away and replace the insecure key. Could dynamically generate a new key and store it in a .vagrant.d directory. This does not fix security issues with development installations of web apps but those would be under user control.
  3. As a simpler option (i.e. can implement sooner) just create some option that disables the port forward. Then let the user bother with issues stemming from SSH potentially not being available etc.
@haydenk

This comment has been minimized.

Copy link

commented May 23, 2013

If SSH port forwarding is not on, then you cannot SSH to your machine in any way

Launch it with the VirtualBox GUI turned on initially, log in and get the IP address? Then you can SSH on the bridged adapters IP with the standard port 22.

@jeromebaum

This comment has been minimized.

Copy link

commented May 24, 2013

Yup. Potentially a bit user-unfriendly?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.