Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: seamless ssh through intermediate host?

  1. #1
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    130
    Distro
    Ubuntu 13.10 Saucy Salamander

    seamless ssh through intermediate host?

    My situation is that I've got a home connection, with a router that my ISP won't let me access (to forward ports etc), and all incoming ports blocked as far as I can tell. I would like to be able to get around this and allow incoming ssh connections to a home PC. To facilitate this I've got an (user) account on a remote shell account, which does not have all its ports blocked and which I'd like to use as an intermediate to ssh into my home machine.

    What I've managed so far is to ssh into the shell account (let's say it's on intermediate.host) and tunnel a port back to my home machine (let's call it home.host) by running the following on home.host:

    ssh -fNR7777:localhost:22 myuser@intermediate.host

    Then, I can ssh into my home machine from the shell account with a simple:

    ssh -p 7777 myuser@localhost

    OK, well and good, in principle I can then ssh into the intermediate from anywhere, and from the intermediate ssh into my home machine. BUT, I'm curious if it's possible to make this a seamless procedure so that if I connect on a particular port to the intermediate, it simply puts me onto the home machine directly (with appropriate ssh keys in place, of course.)

    One reason is it would be more convenient. Another is I would like to be able to make sftp connections to the home machine from anywhere, which I don't see would be possible with the above method. Still, it should be possible, right?

    So three questions basically:

    1. Can I somehow make the connection to my home go seamlessly through the intermediate host?
    2. Can I do this without root access to the intermediate? (I've only got a regular user account there.)
    3. Is there any way to do this so that another person could reach my home machine (say for sftp access) without giving him my login details for the intermediate host? (I would create an own account on the home machine, obviously.)

    Sorry that got a bit lengthy, but I wanted to account thoroughly for the situation. Very grateful for any help!

    Cheers.
    Last edited by anlag; September 17th, 2010 at 06:00 AM.

  2. #2
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    You shouldn't need to login to the intermediate host to connect to your home ssh server. As long as the reverse tunnel is up and listening on *:7777 you should be able to do this,

    ssh -p 7777 homeuser@intermediate.host

    it will forward that connect to your home port 22 where it should be answered. The key is that the reverse tunnel has to listen on the public IP, or * for any. It won't accept connects on localhost from the public.
    eg. your tunnel should be,

    ssh -fNR 7777:publicIP:22 myuser@intermediate.host

    sftp, scp and rsync should all work fine over the tunnel as long as the port is specified. Since Nautilus supports sftp natively you should be able to use sftp://intermediate.host:777/path/to/files to get to them.

    ftp(s) on the other hand requires multiple ports tunneled and I'm not sure of the details of how it co-ordinates them since I never use it any more.

    In this case I would say maybe the simplest solution is to set ftp to use a SOCKS proxy and then start ssh on the remote system in -D mode connecting to your intermediate host via ssh. Then the ftp session will appear to your server as though on your home machine.
    eg. on remote machine,

    ssh -D 8080 -p 7777 homeuser@intermediate.host

    now tell ftp to use SOCKS5 proxy at localhost:8080 and it should connect via ssh to your home machine and access the LAN as if local.

    BTW the easiest way to handle the port 7777 is to add, (at the end)

    Host intermediate.host
    Port 7777

    to your /etc/ssh/ssh_config file or ~.ssh/config (if just for you only) and after that you don't need to keep telling things to use that port for that host.
    Last edited by BkkBonanza; September 17th, 2010 at 07:47 AM.

  3. #3
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    130
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: seamless ssh through intermediate host?

    Thanks! But I'm still struggling a bit with understanding how to make the intermediate host open for ssh connections on a non-22 port. This part:

    Quote Originally Posted by BkkBonanza View Post
    The key is that the reverse tunnel has to listen on the public IP, or * for any. It won't accept connects on localhost from the public.
    eg. your tunnel should be,

    ssh -fNR 7777:publicIP:22 myuser@intermediate.host
    I assume I run that command on my home machine? I tried it with * and it seemed to do the same thing as before. If I use the public IP, is that the public IP of the home machine or of the intermediate?

    I'm guessing I'm doing something wrong with that step, because if I try to ssh to the intermediate on port 7777 (hoping to be passed on to the home machine) I just get this:

    ssh: connect to host intermediate.host port 7777: Network is unreachable

    Don't I need to somehow tell the intermediate machine that when it gets a connection on port 7777 it's an ssh connection? And then, that it should be sent on to my home address?

  4. #4
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    Quote Originally Posted by anlag View Post
    I assume I run that command on my home machine? I tried it with * and it seemed to do the same thing as before. If I use the public IP, is that the public IP of the home machine or of the intermediate?
    Yes. Public IP of intermediate machine since you're telling it which IP to bind on for listening and it must be that machine's. But I didn't check the docs before and the two things are needed... the syntax is like this,

    ssh -fNR *:7777:localhost:22 myuser@intermediate.host

    (the bind address on the host comes first and defaults to localhost when not indicated) and (important!) the GatewayPorts option must be enabled in sshd_config on the host. Otherwise it only binds local. It's all in the docs but last time I was going by memory - my mistake.

    Quote Originally Posted by anlag View Post
    ssh: connect to host intermediate.host port 7777: Network is unreachable
    Make sure a firewall isn't blocking port 7777.
    Quote Originally Posted by anlag View Post
    Don't I need to somehow tell the intermediate machine that when it gets a connection on port 7777 it's an ssh connection? And then, that it should be sent on to my home address?
    No. It listens on port 7777 and whatever it gets it passes down the tunnel to your machine port 22. It is your sshd that responds, back up the tunnel to go out on 7777 again. It's a dumb tunnel not socks or anything, it just passes data packets each way.

  5. #5
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    130
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: seamless ssh through intermediate host?

    Quote Originally Posted by BkkBonanza View Post
    and (important!) the GatewayPorts option must be enabled in sshd_config on the host.
    Ack! Looking in /etc/ssh/sshd_config on the intermediate host, I find this as the only relevant entry:

    #GatewayPorts no

    Although it's commented out, the man page confirms the suspicion that the default setting is indeed "no". I tried the updated command anyway and it gave me the same "network is unreachable" again.

    Don't suppose there's any way I can do what I want with that intermediate host then?

  6. #6
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    After you update that option you have to force sshd to reload it's config.
    Like this,

    pkill -HUP sshd

    After you do that, then start the ssh tunnel. Then on the host run,

    sudo netstat -lntp

    to show what processes are listening on what ports. You should see sshd listening on 7777. If not then there is a ssh-sshd config problem. If it is then check what address it is bound to. If that looks right and you still cannot connect then check iptables for firewall blocks.

    sudo iptables -vnL
    Last edited by BkkBonanza; September 17th, 2010 at 04:30 PM.

  7. #7
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    130
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: seamless ssh through intermediate host?

    Right, unfortunately that's where I run into the problem that I don't have root access on the intermediate host. I'll try and have a word with the admin of that place though, see if they can do something for me. If not, I'll try to find somewhere else to do it... quite keen on seeing it work now, one way or the other, if only for the satisfaction of knowing how to accomplish it in future cases.

    Thanks a lot for your help in any case. I'll revisit this topic when I've got some more progress.

    Oh yeah, no alternative way to do it without root I suppose? I imagine that gateway setting would put a stop to it, pretty much?

  8. #8
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    No, you'll need root to change the sshd config and reload it.

    You may want to look at Amazon EC2. If you want I can give you a primer on it. You can start an on-demand server node for any brief or long period to do some testing/work, and then shut it down - all using linux commands on your machine. Very low cost if you don't keep them up 24/7.

    For example, running a t1.micro spot instance can cost 0.7 cents/hour (not dollars, cents) and is great for this kind of thing. You need an AWS account but can sign up with a credit card very easily.

    Here's how I start and run a remote server as needed, once I've configured the aws perl script from timkay.com, (and setup a key and some config at Amazon control panel),

    ec2rsi ami-1234de7b -p 0.01 -t t1.micro
    (request spot instance, specify type, ami, max price)
    (ami-1234de7b is the ID for an Ubuntu 10.4 machine image)

    ec2din
    (check if my instance is ready... may have to repeat for a few minutes)
    (will output your instance id and URL for your server)

    ssh -i .ssh/myAWSkey.pub ubuntu@aws-URL-from above
    (now I'm logged into my instance)
    (sudo change sshd config, look around)

    (open another local terminal, and type)
    ssh -fNR *:7777:localhost:22 ubuntu@aws-URL-from-above

    (my tunnel is up, see if I can connect to myself)
    ssh -p 7777 me@aws-URL-from-above

    Fun!
    Last edited by BkkBonanza; September 17th, 2010 at 06:10 PM.

  9. #9
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    130
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: seamless ssh through intermediate host?

    Hey that does look like fun Not sure what a primer is, but why not? Looks worth trying out at any rate.

  10. #10
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    A primer would be me just laying out details and steps here. Or I could talk you through it realtime in a chat window. Either way, it's always a bit of fun.

    Realtime would have to start with you signing up at AWS (Amazon Web Services) otherwise you can't get into the AWS Control Panel to create a key etc.

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •