reverse SSH / SSH over NAT traversal
Konstantin Svist
fry.kun at gmail.com
Wed Sep 5 16:45:43 UTC 2007
Jeffrey Ross wrote:
>
>
> Konstantin Svist wrote:
>> Hi all,
>>
>> I'm trying to connect to a remote host to do some simple support. The
>> remote host is behind a NAT/firewall and it's not possible to ask the
>> admin to tunnel a port. The remote host has a live person working on
>> it (a linux newbie).
>> The question is, can the remote user type in some command in their
>> terminal to connect (SSH?) to my network - and thereby allow me to
>> get a terminal on the remote machine. I think this is possible with a
>> reverse SSH tunnel - but I don't really want to allow the remote user
>> any access to my system. It's probably possible to set up some chroot
>> or otherwise locked out environment (/bin/nologin ?), but I want to
>> first check if there are any simpler options.
>>
>> A better question: is it possible to establish an SSH connection if
>> both networks have NAT/firewalls that can't be easily controlled? I
>> know some programs (e.g. skype) are able to traverse NATs by various
>> means (UDP). Can some tunnel of this sort be established so that an
>> SSH connection can be established on top of that?
>>
>>
>> Thanks!
>>
>>
>>
>>
> I've never tried using chroot for anything but to handle the ssh issue
> have the user enter the command:
>
> ssh -R 12345:127.0.0.1:22 username at yourhost
>
> have the user login. At this point you can enter:
>
> ssh -p 12345 username at 127.0.0.1
>
> where usename is the username on your clients machine.
>
> If you want to take it one step further you can enter:
>
> ssh -D 4567 -p 12345 username at 127.0.0.1
>
> now your local machine is running as if its a socks proxy and any
> software that can be told to use a proxy will be able to connect to
> the remote network, set the proxy host to be 127.0.0.1 and the port to
> be 4567 (you can adjust the port if you like)
>
> What I do for my own use is use the "-D" option and a program I found
> called "connect"
> http://www.taiyo.co.jp/~gotoh/ssh/connect.c
> and then put in ~/.ssh/config these two lines:
>
> host 10.*
> ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:4567 %h %p
>
> you can do "host *.foo.com" as well and it will match anything in the
> .foo.com domain.
>
> Now every time I type "ssh username at 10.x.x.x" it automatically proxies
> my connection if the ssh tunnel is up.
>
> Jeff
Doesn't allowing the other user to create an SSH tunnel lower your
security? They might append a -L option (when they do ssh -R) and -
presto - they have unfirewalled access to your ports. Granted, this is
usually not an issue when users on the other side are newbies - but if
you get used to this technique and use it when it's not safe... you get
the point
More information about the fedora-list
mailing list