Re: reverse SSH / SSH over NAT traversal

Jeffrey Ross wrote:


Konstantin Svist wrote:


I've never tried using chroot for anything but to handle the ssh issue
have the user enter the command:

ssh -R 12345:127.0.0.1:22 username@yourhost

have the user login. At this point you can enter:

ssh -p 12345 username@xxxxxxxxx

where usename is the username on your clients machine.

If you want to take it one step further you can enter:

ssh -D 4567 -p 12345 username@xxxxxxxxx

now your local machine is running as if its a socks proxy and any
software that can be told to use a proxy will be able to connect to
the remote network, set the proxy host to be 127.0.0.1 and the port to
be 4567 (you can adjust the port if you like)

What I do for my own use is use the "-D" option and a program I found
called "connect"
http://www.taiyo.co.jp/~gotoh/ssh/connect.c
and then put in ~/.ssh/config these two lines:

host 10.*
ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:4567 %h %p

you can do "host *.foo.com" as well and it will match anything in the
.foo.com domain.

Now every time I type "ssh username@xxxxxxxx" it automatically proxies
my connection if the ssh tunnel is up.

Jeff

Doesn't allowing the other user to create an SSH tunnel lower your
security? They might append a -L option (when they do ssh -R) and -
presto - they have unfirewalled access to your ports. Granted, this is
usually not an issue when users on the other side are newbies - but if
you get used to this technique and use it when it's not safe... you get
the point

I didn't say it provided security, it does allow you to get around
firewalls and NAT translations. It also shows that a firewall should not
be your only line of defense as it can easily be defeated by well
intentioned uses.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Port Forwarding
    ... I'm using SecureCRT 5.2.1 and i want to make ssh tunnel to access some ... I have to access Host 2, but to get to host 2 i have to first access ... Is there a way of doing it on SecureCRT? ... pick a port to use locally. ...
    (comp.security.ssh)
  • Re: SSH Tunneling, view web site as though I am in the USA
    ... $ ssh -D 1080 me@us_server ... And then set your local web browser to proxy using socks 4 to server ... HTTP Proxy: localhost Port: 1080 ... Not http proxy, SOCKS 4 proxy. ...
    (comp.security.ssh)
  • RE: ssh webclient
    ... I binded my sshd on port 443, and set up putty to connect on 443. ... I think we have a transparent proxy or something like that. ... > outside ssh server to port 443, or set up a ssh server at home to port ... I do not get the timeout when i do this if there is not ...
    (SSH)
  • Re: Alternatives for port forwarding
    ... to exceed what SSH can accomplish. ... If one user is having host A log in with a remote forward listening on ... port 10000, with the intent of logging in from host B with a local forward ... or any connections to a port on the server. ...
    (comp.security.ssh)
  • Dont write to known_hosts
    ... me a great deal of mess every time I try to SSH login from Linux. ... He has made some kind of port forwarding on a gateway host to protect some ... The machines are all Linux machines and are all ...
    (comp.security.ssh)