Re: reverse SSH / SSH over NAT traversal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jeffrey Ross wrote:



Konstantin Svist wrote:

Hi all,
I'm trying to connect to a remote host to do some simple support. The remote host is behind a NAT/firewall and it's not possible to ask the admin to tunnel a port. The remote host has a live person working on it (a linux newbie). The question is, can the remote user type in some command in their terminal to connect (SSH?) to my network - and thereby allow me to get a terminal on the remote machine. I think this is possible with a reverse SSH tunnel - but I don't really want to allow the remote user any access to my system. It's probably possible to set up some chroot or otherwise locked out environment (/bin/nologin ?), but I want to first check if there are any simpler options.
A better question: is it possible to establish an SSH connection if both networks have NAT/firewalls that can't be easily controlled? I know some programs (e.g. skype) are able to traverse NATs by various means (UDP). Can some tunnel of this sort be established so that an SSH connection can be established on top of that? 


Thanks!
I've never tried using chroot for anything but to handle the ssh issue have the user enter the command: 

ssh -R 12345:127.0.0.1:22 username@yourhost

have the user login.  At this point you can enter:

ssh -p 12345 username@xxxxxxxxx

where usename is the username on your clients machine.

If you want to take it one step further you can enter:

ssh -D 4567 -p 12345 username@xxxxxxxxx
now your local machine is running as if its a socks proxy and any software that can be told to use a proxy will be able to connect to the remote network, set the proxy host to be 127.0.0.1 and the port to be 4567 (you can adjust the port if you like)
What I do for my own use is use the "-D" option and a program I found called "connect" 
http://www.taiyo.co.jp/~gotoh/ssh/connect.c
and then put in ~/.ssh/config these two lines:

host 10.*
ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:4567 %h %p
you can do "host *.foo.com" as well and it will match anything in the .foo.com domain.
Now every time I type "ssh username@xxxxxxxx" it automatically proxies my connection if the ssh tunnel is up. 

Jeff
Doesn't allowing the other user to create an SSH tunnel lower your security? They might append a -L option (when they do ssh -R) and - presto - they have unfirewalled access to your ports. Granted, this is usually not an issue when users on the other side are newbies - but if you get used to this technique and use it when it's not safe... you get the point
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux