Re: how to get the right commands for a remote ssh session (attachment situation)
Florian Kulzer wrote:
> On Mon, Oct 27, 2008 at 15:37:38 +0100, Jelle de Jong wrote:
>> Hello everybody,
>>
>> I have been trying to create some sh tunneling commands that would allow
>> me to create a ssh session to a machine behind an firewall/nat from a
>> machine behind a firewall/nat but with a public server in between. I
>> have spent a day trying to figure things out but without success. So I
>> wanted to ask for some help to get the right command...
>
> [...]
>
>> question: how can admin0 and admin1 get a ssh session with user0 to
>> provide remote support?
>>
>> what are the exact ssh commands and there sequences for user0, admin0
>> and admin1?
>>
>> +----------------+ +----------+ +--------------+ +----------+
>> | user0 |--------| firewall |--------| internet www |--------| firewall |
>> | ip: unknown | +----------+ +--------------+ +----------+
>> | ssh access to: | | |
>> | server0 | +----------+ +---------------------+
>> +----------------+ | firewall | | server0 |
>> +----------+ | ip: 84.245.3.195 |
>> +----------------+ | | provided access to: |
>> | admin0 |------------------------------------+ | user0 |
>> | ip: unknown | | admin0 |
>> | ssh access to: | | admin1 |
>> | server0 | +---------------------+
>> +----------------+ |
>> |
>> +----------------+ |
>> | admin1 |----------------------------------------------------------+
>> | ip: unknown |
>> | ssh access to: |
>> | server0 |
>> +----------------+
>>
>> All systems are using Debian Linux sid or lenny, and no firewall can be
>> changed so only outgoing connection are allowed with exception of the
>> firewall of server0
>
> I think this has to be done using remote port forwarding on user0 to
> break through the firewall:
>
> ssh -N -R 22222:localhost:22 server0
>
> If you run this command on user0 then an ssh connection is established
> that forwards port 22222 on server0 to port 22 on user0. Obviously, this
> means that you have to set up user0 in such a way that a user with
> access to that computer can initiate the support session by running that
> command, or you use a cron job, or you configure it as a permanent
> connection that is established whenever user0 boots up. (Note that the
> administrator of user0's firewall might notice what you are doing and
> he/she might not like that you poke a permanent hole into the firewall.)
>
> With the port forward via ssh in place, it should be possible to ssh
> into server0 from admin0 or admin1 and once you have your the shell on
> server0, you run
>
> ssh -p 22222 localhost
>
> which will establish an ssh session to port 22222 of server0, meaning
> that you connect via the ssh tunnel to port 22 of user0 (which I assume
> is the port on which user0's ssh server listens).
>
> I am not entirely sure if I have all the syntax correct, though. It may
> be possible to simplify the two-step ssh chain admin0/1 -> server0
> ->user0 by using ProxyCommand with netcat, see "man ssh_config".
>
Thank you Florian for taking the time to answer my question. This is
really appreciated, you were correct with the commands and I got it working:
ssh -f -N -R 9999:127.0.0.1:22 user0@server0
ssh -p 9999 user0@localhost
Thank you,
Kind regards,
Jelle
Reply to: