Re: how to get the right commands for a remote ssh session (attachment situation)
On Mon, Oct 27, 2008 at 15:37:38 +0100, Jelle de Jong wrote:
> Hello everybody,
>
> I have been trying to create some sh tunneling commands that would allow
> me to create a ssh session to a machine behind an firewall/nat from a
> machine behind a firewall/nat but with a public server in between. I
> have spent a day trying to figure things out but without success. So I
> wanted to ask for some help to get the right command...
[...]
> question: how can admin0 and admin1 get a ssh session with user0 to
> provide remote support?
>
> what are the exact ssh commands and there sequences for user0, admin0
> and admin1?
>
> +----------------+ +----------+ +--------------+ +----------+
> | user0 |--------| firewall |--------| internet www |--------| firewall |
> | ip: unknown | +----------+ +--------------+ +----------+
> | ssh access to: | | |
> | server0 | +----------+ +---------------------+
> +----------------+ | firewall | | server0 |
> +----------+ | ip: 84.245.3.195 |
> +----------------+ | | provided access to: |
> | admin0 |------------------------------------+ | user0 |
> | ip: unknown | | admin0 |
> | ssh access to: | | admin1 |
> | server0 | +---------------------+
> +----------------+ |
> |
> +----------------+ |
> | admin1 |----------------------------------------------------------+
> | ip: unknown |
> | ssh access to: |
> | server0 |
> +----------------+
>
> All systems are using Debian Linux sid or lenny, and no firewall can be
> changed so only outgoing connection are allowed with exception of the
> firewall of server0
I think this has to be done using remote port forwarding on user0 to
break through the firewall:
ssh -N -R 22222:localhost:22 server0
If you run this command on user0 then an ssh connection is established
that forwards port 22222 on server0 to port 22 on user0. Obviously, this
means that you have to set up user0 in such a way that a user with
access to that computer can initiate the support session by running that
command, or you use a cron job, or you configure it as a permanent
connection that is established whenever user0 boots up. (Note that the
administrator of user0's firewall might notice what you are doing and
he/she might not like that you poke a permanent hole into the firewall.)
With the port forward via ssh in place, it should be possible to ssh
into server0 from admin0 or admin1 and once you have your the shell on
server0, you run
ssh -p 22222 localhost
which will establish an ssh session to port 22222 of server0, meaning
that you connect via the ssh tunnel to port 22 of user0 (which I assume
is the port on which user0's ssh server listens).
I am not entirely sure if I have all the syntax correct, though. It may
be possible to simplify the two-step ssh chain admin0/1 -> server0
->user0 by using ProxyCommand with netcat, see "man ssh_config".
--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |
Reply to: