Jacob S wrote: > I have a friend that I'm helping upgrade Debian on their desktop. This > friend is not very computer literate - even in Windows. So they're > having a problem that I need to troubleshoot, but they're behind a > firewall so I can't ssh into their computer. > > There are not currently any ports forwarded from the firewall to this > computer and we do not have any access to the firewall to enable > something like this, either. What I am hoping is that I can have them > establish an ssh connection into my firewall with some software that > would then allow me to get a shell on their computer. If the firewall is a corporate security measure then almost certainly this type of access is not allowed by the employer. Most company's contracts say that tunneling past security measures are grounds for termination. I am saying this because if your friend is behind a firewall that they do not control and also not very computer literate they are probably not aware of the issues and might put themselves into a bad situation without knowing it. You might need to make a trip with them to their actual machine. That is usually allowed because the access is supervised. But of course every employer has different rules. If this were a simple home firewall such as a cable modem router then the easiest thing would be to open the ssh port so that you could log into their computer. However if that is difficult, the security issues understood, then you can open a tunnel with ssh from their machine to yours. You could follow the tunnel back to their machine and then help them. Here is an example: ssh -N -P -R 2222:$(hostname):22 user@remotehost That ssh's into the remote machine and opens a listening connection on port 2222. Connections to that port will be forwarded through the tunnel to the local host port 22. You would give your friend a login on your machine (user@remotehost) and they would also give you a login on their machine too so that you would be able to log in there. You should be able to test the connection on your end with 'nc' (netcat) or telnet. nc localhost 2222 SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 Control-C out of that, the connection is just to test that the tunnel is working in a direct way. The above command does not need any special privileges, does not need to run as root or anything. Just run it as a non-root user. I included the -P option just in case though as some firewalls block outbound access from privileged ports. For a truly reliable connection you would want to use '-oBatchmode=yes' or '-oServerAliveInterval=300'. I use Batchmode but for that you would need RSA keys set up for a fully automated login because passwords are interactive. Some firewalls will drop idle connections and a diddle is needed to keep the connection alive. You would connect to your friend's machine through the tunnel like this: ssh -p 2222 localhost Bob
Attachment:
signature.asc
Description: Digital signature