Re: SSH/SFTP Connection Forwarding

From: Andrew (andrew_at_lod.com)
Date: 02/22/05

  • Next message: John Kelly: "Re: unix riddlee" 
    Date: Tue, 22 Feb 2005 11:28:39 -0800

    intercom5 wrote:
    > I was wondering if anyone knew how to setup sftp connection forwarding.
    > What I mean by this is that a user tries to connect via sftp to a
    > remote server, say login.domain.com. I want this server (the login
    > server) to then redirect the client to another server based on which
    > client it is.
    >
    > For example, user1's files are on server1.domain.com and user2's files
    > are on server2.domain.com. But if either of them connects to
    > login.domain.com, they will be forwared to their correct server
    > (server1 for user1 and server2 for user2).

    If user1 and user2 are connecting from known unique IP addresses, one
    option would be to use address translation on an intermediate router or
    firewall system. Destination traffic for port 22 could be translated
    based on source address. This would certainly be possible using iptables
    on Linux, or a Cisco router. Here's a drawing of what I'm talking about:

    user 1 server 1
    192.168.1.3 -------| |----192.168.2.98
                        | |
                        |----Cisco router----|
    user 2 | (NAT) | server 2
    192.168.1.4 -------| |----192.168.2.99

    The cisco router (or Linux box) would sit between the clients and
    servers, doing the address translation. Give login.domain.com an IP
    address of, say, 192.168.2.97 (which is not associated with any
    interface). The router has NAT rules which act as follows:

    1. Packets from 192.168.1.3 to 192.168.2.97 port 22, translate
    destination address to 192.168.2.98

    2. Packets from 192.168.1.4 to 192.168.2.97 port 22, translate
    destination address to 192.168.2.99

    Obviously, this can be scaled up to a number of clients and servers as
    required. Note, however, that if the IP addresses of user1 and user2 are
    not known in advance, or are not static, it will be difficult to write
    effective NAT rules.

    andrew@lod.com

  • Next message: John Kelly: "Re: unix riddlee"

    Relevant Pages

    • SFTP/SSH Connection Forwarding
      ... I was wondering if anyone knew how to setup sftp connection forwarding. ... remote server, say login.domain.com. ... client it is. ...
      (comp.unix.programmer)
    • SSH/SFTP Connection Forwarding
      ... I was wondering if anyone knew how to setup sftp connection forwarding. ... remote server, say login.domain.com. ... client it is. ...
      (comp.unix.shell)
    • SFTP connection forwarding
      ... I was wondering if anyone knew how to setup sftp connection forwarding. ... remote server, say login.domain.com. ... client it is. ...
      (comp.security.ssh)
    • SSH/SFTP Connection Forwarding
      ... I was wondering if anyone knew how to setup sftp connection forwarding. ... remote server, say login.domain.com. ... client it is. ...
      (comp.unix.admin)
    • Re: What doesnt lend itself to OO?
      ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
      (comp.object)