reverse ssh

Micah Bushouse bushous2 at msu.edu
Tue Oct 5 20:08:12 PDT 2004 

On Tue, 2004-10-05 at 16:40, John Mills wrote:
> Freebies -
> 
> On Tue, 5 Oct 2004, Ion-Mihai Tetcu wrote:
> 
> > [ please don't loose context ]
>  
> > On Tue, 05 Oct 2004 19:45:38 +0200
> > Benjamin Walkenhorst <krylon at gmx.net> wrote:
>  
> > > Micah Bushouse wrote:
> > >
> > > > I have a BSD box (home) sitting on an apartment complex network
> > > > (dhcp/nat/firewall) that I don't control. I also have a BSD box (work)
> > > > with a static IP sitting on my university's network.
> > > > 
> > > > Is there a way to open a ssh/other connection before I leave for work in
> > > > the morning (from the home box to the work box), then travel to the
> > > > university, sit at my desk and use this connection to get a terminal on
> > > > my home machine? Is there any software out there that addresses this?
> > > > Ideally it would involve ssh.
> > > 
> > > You could write a script that sends an email to you every morning
> > > which contains your IP-address. *Encrypted*, of course!!!
>  
> > Since he's home machine is behind a NAT at what would knowing its
> > (private) ip serve?
> 
> Look into 'man ssh' and check the '-R' option. I suggest a script be
> written to run an 'ssh -R' login from the home box to the office box,
> setting up the tunnel for reverse use. You (or !!_CAUTION_!! anyone else
> logged into either box) can use the tunnel for whatever connects to it.
> 
> I suggest you connnect back to your home system's 'sshd' port and then you
> will have to satisfy the home box's login authorization to get access
> there (at the price of two levels of ssl wrappers, I suppose). The
> designated remote port effectively becomes an extension of your local
> 'sshd' connection port on the office machine. Set the remote machine up
> for RSA login from your home machine so you won't have to send the
> password from your script.
> 
> Make sure the incoming port can get through your home firewall and the
> apartment complex's router - that shouldn't be too stringent, as [I
> _think_] it will look like 'reply' traffic to both of those filters,
> rather than incoming requests. The firewall on your office system will see
> them as incoming ssh requests, which I assume you now accept.
> 
> DISCLAIMER: I have a static IP at home, and have only done this the other
> direction: exporting VNC $DISPLAY sessions from home to the outside world
> as pseudo-X11 logins onto the home box. The tunnel is setup by my ssh
> login from outside. (I know, I know -- a bit ugly, but it's easy to set
> up.) For simplicity I scripted the login as:
> 
> sshTunnel:
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> #!/bin/sh
> echo "Connecting port :<local_port> to $1:<remote_port>"
> ssh -C -g -L <local_port:$1:<remote_port> $1

>From home, I used:

> ssh -C -g -R 2222:127.0.0.1:22 <university-static-ip>

Then I made a separate ssh session into the school BSD box and executed
this on the school box:

> ssh -p 2222 127.0.0.1

After supplying credentials I had a terminal back at my apartment. Port
2222 is filtered to be only available to lo0. Thing of beauty.

Excellent help... Thanks!
~Micah

> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> 
> You would be using '-R' instead of '-L' of course, and using appropriate 
> port definitions.
> 
> I invoke my script as:
>  $ sshTunnel <remote_host>
> 
> The life of the tunnel should the same as the life of that scripted ssh
> login, which may influence what exactly you script.
> 
> Whatever I send to <local_port> is wrapped, sent, unwrapped, and passed to
> <remote_host>:<remote_port>, and vice-versa.
> 
> REFINEMENTS:
>  (1) In view of the !!_CAUTION_!! note above, you may want to create a
> pair of low-privilege users on the two machines and have the script
> connect _them_. The script should run with the home dummy-user's uid. This
> should help limit the damage potential from an intruder. (I would call
> this: 'making a virtue of necessity'.) You then ssh-connect _locally_ on
> the office machine to 'ride' the tunnel back to your home machine as
> yourself.
>  (2)I bet someone who really understands tunneling could make this work
> with only one layer of ssl wrappers, but I'm not that clever.
>  
>  - John Mills
>    john.m.mills at alum.mit.edu
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list