Re: reverse SSH / SSH over NAT traversal



Konstantin Svist wrote:
Hi all,

I'm trying to connect to a remote host to do some simple support. The remote host is behind a NAT/firewall and it's not possible to ask the admin to tunnel a port. The remote host has a live person working on it (a linux newbie).
The question is, can the remote user type in some command in their terminal to connect (SSH?) to my network - and thereby allow me to get a terminal on the remote machine. I think this is possible with a reverse SSH tunnel - but I don't really want to allow the remote user any access to my system. It's probably possible to set up some chroot or otherwise locked out environment (/bin/nologin ?), but I want to first check if there are any simpler options.

A better question: is it possible to establish an SSH connection if both networks have NAT/firewalls that can't be easily controlled? I know some programs (e.g. skype) are able to traverse NATs by various means (UDP). Can some tunnel of this sort be established so that an SSH connection can be established on top of that?


Thanks!




I've never tried using chroot for anything but to handle the ssh issue have the user enter the command:

ssh -R 12345:127.0.0.1:22 username@yourhost

have the user login. At this point you can enter:

ssh -p 12345 username@xxxxxxxxx

where usename is the username on your clients machine.

If you want to take it one step further you can enter:

ssh -D 4567 -p 12345 username@xxxxxxxxx

now your local machine is running as if its a socks proxy and any software that can be told to use a proxy will be able to connect to the remote network, set the proxy host to be 127.0.0.1 and the port to be 4567 (you can adjust the port if you like)

What I do for my own use is use the "-D" option and a program I found called "connect"
http://www.taiyo.co.jp/~gotoh/ssh/connect.c
and then put in ~/.ssh/config these two lines:

host 10.*
ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:4567 %h %p

you can do "host *.foo.com" as well and it will match anything in the .foo.com domain.

Now every time I type "ssh username@xxxxxxxx" it automatically proxies my connection if the ssh tunnel is up.

Jeff


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: reverse SSH / SSH over NAT traversal
    ... The remote host is behind a NAT/firewall and it's not possible to ask the admin to tunnel a port. ... can the remote user type in some command in their terminal to connect (SSH?) to my network - and thereby allow me to get a terminal on the remote machine. ... I think this is possible with a reverse SSH tunnel - but I don't really want to allow the remote user any access to my system. ...
    (Fedora)
  • SCP via SSH tunnel works, then not, then works again
    ... I am using SSH to perform local port forwarding from my local machine ... to a remote machine behind a firewall at a remote site ... back to remote host RA, ...
    (comp.security.ssh)
  • Re: Authentication with SSH using public keys
    ... I use ssh to login remotely. ... Normally, I just copy, via scp, the file id_rsa.pub to my ~/.ssh/authorized_keys file on the remote host and the next time I attempt a login all is well. ... Now, I've looked through his /etc/ssh/sshd_config file and nothing in there looks odd, or different, from other remote hosts I do this on. ...
    (freebsd-questions)
  • Re: PLEASE HELP Trying to use SSH programmatically to run program on remote host
    ... open a SSH connection to a remote host and eventually run a program on ...
    (comp.lang.c)
  • [NEWS] SSH service at Dell DRAC4 Denial of Service (Mocana)
    ... SSH service at Dell DRAC4 Denial of Service ... Dell Remote Access Card 4 allows customers to effectively manage ... After the use of such a port scanner, ...
    (Securiteam)