Re: ssh/scp forwarding

From: David Efflandt (efflandt_at_xnet.com)
Date: 08/16/04


Date: Mon, 16 Aug 2004 00:58:09 +0000 (UTC)

On 12 Aug 2004 12:19:08 GMT, Bob Tennent <BobT@cs.queensu.ca> wrote:
> I'm looking for a simple but secure way to ssh/scp from the net into
> a host on a home LAN behind a firewall. Both the target host and the
> firewall host run Linux and I have logins on both. (In fact I have root
> access on both but I would think this can be set up without invoking
> root powers.) And I'm sure this is explained somewhere in the man pages
> for ssh/sshd or their config files but the jargon is too heavy for me,
> so please keep it simple. Thanks.

The simplest is to ssh to the firewall, then ssh in from there, which does
not require re-entering password or key pass phrase if using ssh-agent and
agent forwarding. Or if you need to access something else on LAN, you can
tunnel tcp ports through ssh. These are the methods I use at home (or at
work where I do not have root access to the public smtp server I ssh into
first).

The problem with trying to tunnel ssh in directly is that your client
would see a different host key if logging into the firewall vs. tunnel
through firewall. Since from your viewpoint they would both appear to
have the same IP, your ssh client may think that one or the other host
key is spoofed. It might work if you had more than one name pointing at
the public IP and each connection was associated with a different
hostname.

If you do not need to access the firewall itself, it should work
forwarding port 22 (or other port) into the internal server, since there
would only be 1 host key associated with that public name or IP. But I do
not know the specific iptables command to do that through NAT.

-- 
David Efflandt - All spam ignored  http://www.de-srv.com/