Re: ssh/scp forwarding

From: David Efflandt (
Date: 08/16/04

Date: Mon, 16 Aug 2004 00:58:09 +0000 (UTC)

On 12 Aug 2004 12:19:08 GMT, Bob Tennent <> wrote:
> I'm looking for a simple but secure way to ssh/scp from the net into
> a host on a home LAN behind a firewall. Both the target host and the
> firewall host run Linux and I have logins on both. (In fact I have root
> access on both but I would think this can be set up without invoking
> root powers.) And I'm sure this is explained somewhere in the man pages
> for ssh/sshd or their config files but the jargon is too heavy for me,
> so please keep it simple. Thanks.

The simplest is to ssh to the firewall, then ssh in from there, which does
not require re-entering password or key pass phrase if using ssh-agent and
agent forwarding. Or if you need to access something else on LAN, you can
tunnel tcp ports through ssh. These are the methods I use at home (or at
work where I do not have root access to the public smtp server I ssh into

The problem with trying to tunnel ssh in directly is that your client
would see a different host key if logging into the firewall vs. tunnel
through firewall. Since from your viewpoint they would both appear to
have the same IP, your ssh client may think that one or the other host
key is spoofed. It might work if you had more than one name pointing at
the public IP and each connection was associated with a different

If you do not need to access the firewall itself, it should work
forwarding port 22 (or other port) into the internal server, since there
would only be 1 host key associated with that public name or IP. But I do
not know the specific iptables command to do that through NAT.

David Efflandt - All spam ignored

Relevant Pages

  • Re: [opensuse] ssh connection refused since upgrading to 12.1
    ... Since upgrading the desktop to 12.1, ssh from ... REMOTE HOST IDENTIFICATION HAS CHANGED! ... Host key verification failed. ...
  • X/OpenGL forwarding
    ... The firewall is OpenBSD 3.1 -stable. ... Sessions from their home PCs to Host B on the DMZ. ... I have ssh up and running on both the firewall and Host B. ... When forwarding X is it the ssh server on host B that does the ...
  • Re: sshd known_hosts query
    ... > firewall and NAT router. ... > I've read the manpages and HOWTOs about this and looked at the open ssh ... > - can the known_hosts entry be just the host ID? ...
  • Multiple SSH Port Forwards And Security Warning
    ... I have more than one ssh port forwarded to one machine. ... It is also possible that the RSA host key has just been changed. ... the RSA host key for 'target' differs from the key for the IP ...
  • RE: [Full-disclosure] SSH Bruteforce blocking script
    ... >host is blacklisted. ... Even if you have customers who need remote access, ... PIX firewall due to management decisions and a resource ... and I can introduce an iptables rule to only allow SSH ...