Automatically request secure maintenance tunnel from maintenance server to computer.
What aalatunneli is used for?
It's sometimes impossible to connect from computer A to computer B, even if reverse works.
This can be because of B has dynamic IP (so user of 'A' does not know where he should connect),
NAT, firewall...
For now on, we will call A as Maintenance server and B as client.
With aalatunneli, client connects to server and creates tunnel inside which server can connect
back to client.
This is not general solution for all kind of network traffic, but just for creating
maintenance connection.
Functionality
Aalatunneli creates reversed ssh tunnel from maintenance server to initiating computer.
This tunnel connects one port from maintenance server to special (or if really wanted, standard) local telnet port. This causes any traffic to that maintenance server port to be transferred
to local telnet port. Maintainer can then 'telnet localhost <server port>' to open telnet
connection through that tunnel to client computer.
Telnet is used instead of ssh in connection inside tunnel since tunnel itself is already crypted.
There is no need to add overhead from second layer of crypting. ssh tunnel + telnet is
basically same as ssh shell access.
There is one part where ssh connection inside tunnel would be more secure.
- With ssh data would go encrypted all the way to ssh daemon
- With telnet inside ssh tunnel, data goes unencrypted from end of tunnel to telnet daemon
However, this unencrypted traversal is already inside client computer. This would be issue only
for already compromised computer where intruder can access traffic from tunnel to telnet
daemon, but not what goes on after data has been decrypted anyway.
All this is not to say that aalatunneli will never use ssh instead of telnet.
Future versions might do so.
Security
Many people think that word 'ssh' equals to 'shell usage over crypted connection'.
After all, this is what ssh command does by default.
Core functionality of ssh is creating crypted tunnel. Running the shell is not
essential part of ssh. Aalatunneli is using ssh just to create the crypted connection,
tunnel. It is not directly giving shell access, nor bypassing any username/password checks.
It is actually more secure method than simply running ssh daemon, since it has
additional restrictions for accessing computer.
- Client end telnet daemon is bind to loopback network only. It can be accessed only by programs
running inside client computer, such as client end of aalatunneli. It's impossible to
connect that telnet daemon from the outside network.
- Server end of the tunnel is bind to loopback network only. Tunnel can be accessed only by
programs running inside server computer. It's impossible to connect tunnel from
outside network.
Tunnel creation uses public/private keys to make sure that other end really is what it claims to be.
Reporting problems
Please report
any bugs to Bugzilla.
Contact
| Marko Lindqvist |
 |
Downloads
| Latest version is 1.0.0 | |  |
Debian packages for several Ubuntu and Debian releases are available for apt-get from
my debian package repositories.
Aalatunneli 1.0.0 (29-Sep-09)
Aalatunneli 0.3.5 (10-Mar-09)
Aalatunneli 0.3.4 (26-Feb-09)
Aalatunneli 0.3.3
Aalatunneli 0.3.2
Aalatunneli 0.3.1
Aalatunneli 0.2.0
Aalatunneli 0.1.1
Aalatunneli 0.1.0
Known problems
- One cannot remove or update aalatunneli itself from aalatunneli session