Re: reverse ssh
From: Micah Bushouse (bushous2_at_msu.edu)
Date: 10/06/04
- Previous message: Peter A. Giessel: "Re: Multifunction printer/scanner/copier recommendation needed"
- In reply to: John Mills: "Re: reverse ssh"
- Next in thread: Geert Hendrickx: "Re: reverse ssh"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: John Mills <john.m.mills@alum.mit.edu> Date: Tue, 05 Oct 2004 23:08:07 -0400
On Tue, 2004-10-05 at 16:40, John Mills wrote:
> Freebies -
>
> On Tue, 5 Oct 2004, Ion-Mihai Tetcu wrote:
>
> > [ please don't loose context ]
>
> > On Tue, 05 Oct 2004 19:45:38 +0200
> > Benjamin Walkenhorst <krylon@gmx.net> wrote:
>
> > > Micah Bushouse wrote:
> > >
> > > > I have a BSD box (home) sitting on an apartment complex network
> > > > (dhcp/nat/firewall) that I don't control. I also have a BSD box (work)
> > > > with a static IP sitting on my university's network.
> > > >
> > > > Is there a way to open a ssh/other connection before I leave for work in
> > > > the morning (from the home box to the work box), then travel to the
> > > > university, sit at my desk and use this connection to get a terminal on
> > > > my home machine? Is there any software out there that addresses this?
> > > > Ideally it would involve ssh.
> > >
> > > You could write a script that sends an email to you every morning
> > > which contains your IP-address. *Encrypted*, of course!!!
>
> > Since he's home machine is behind a NAT at what would knowing its
> > (private) ip serve?
>
> Look into 'man ssh' and check the '-R' option. I suggest a script be
> written to run an 'ssh -R' login from the home box to the office box,
> setting up the tunnel for reverse use. You (or !!_CAUTION_!! anyone else
> logged into either box) can use the tunnel for whatever connects to it.
>
> I suggest you connnect back to your home system's 'sshd' port and then you
> will have to satisfy the home box's login authorization to get access
> there (at the price of two levels of ssl wrappers, I suppose). The
> designated remote port effectively becomes an extension of your local
> 'sshd' connection port on the office machine. Set the remote machine up
> for RSA login from your home machine so you won't have to send the
> password from your script.
>
> Make sure the incoming port can get through your home firewall and the
> apartment complex's router - that shouldn't be too stringent, as [I
> _think_] it will look like 'reply' traffic to both of those filters,
> rather than incoming requests. The firewall on your office system will see
> them as incoming ssh requests, which I assume you now accept.
>
> DISCLAIMER: I have a static IP at home, and have only done this the other
> direction: exporting VNC $DISPLAY sessions from home to the outside world
> as pseudo-X11 logins onto the home box. The tunnel is setup by my ssh
> login from outside. (I know, I know -- a bit ugly, but it's easy to set
> up.) For simplicity I scripted the login as:
>
> sshTunnel:
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> #!/bin/sh
> echo "Connecting port :<local_port> to $1:<remote_port>"
> ssh -C -g -L <local_port:$1:<remote_port> $1
>From home, I used:
> ssh -C -g -R 2222:127.0.0.1:22 <university-static-ip>
Then I made a separate ssh session into the school BSD box and executed
this on the school box:
> ssh -p 2222 127.0.0.1
After supplying credentials I had a terminal back at my apartment. Port
2222 is filtered to be only available to lo0. Thing of beauty.
Excellent help... Thanks!
~Micah
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
> You would be using '-R' instead of '-L' of course, and using appropriate
> port definitions.
>
> I invoke my script as:
> $ sshTunnel <remote_host>
>
> The life of the tunnel should the same as the life of that scripted ssh
> login, which may influence what exactly you script.
>
> Whatever I send to <local_port> is wrapped, sent, unwrapped, and passed to
> <remote_host>:<remote_port>, and vice-versa.
>
> REFINEMENTS:
> (1) In view of the !!_CAUTION_!! note above, you may want to create a
> pair of low-privilege users on the two machines and have the script
> connect _them_. The script should run with the home dummy-user's uid. This
> should help limit the damage potential from an intruder. (I would call
> this: 'making a virtue of necessity'.) You then ssh-connect _locally_ on
> the office machine to 'ride' the tunnel back to your home machine as
> yourself.
> (2)I bet someone who really understands tunneling could make this work
> with only one layer of ssl wrappers, but I'm not that clever.
>
> - John Mills
> john.m.mills@alum.mit.edu
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Peter A. Giessel: "Re: Multifunction printer/scanner/copier recommendation needed"
- In reply to: John Mills: "Re: reverse ssh"
- Next in thread: Geert Hendrickx: "Re: reverse ssh"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
