Quick and simple ssh(1) question

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Sep 14 03:30:25 PDT 2004

On Tue, Sep 14, 2004 at 12:02:32AM +0100, Mark Ovens wrote:
> Chuck Swiger wrote:
> >Mark Ovens wrote:
> >>Is it correct that you can't ssh(1) between two machines on the same LAN 
> >>(using NAT) _via the Internet?_
> >>
> >>Strange question I know, but I need to be able to access one of my 
> >>machines, postie, remotely. I've got sshd(8) running and can ssh(1) to 
> >>it from a local machine using it's local hostname. However, since I only 
> >>have a single 'net connection here I tried to test connecting remotely 
> >>by ssh(1)'ing to my router's 'net-facing hostname but I get
> >>
> >>  ssh: connect to host <router_hostname> port 22: Connection refused
> >>
> >>Port 22 is forwarded to postie on the router.
> >
> >Given time and sufficient determination, you ought to be able to make this 
> >work, but it's a real pain--
> [snip detailed info]
> I think that answers my question - it won't work the way I'm trying it. 
> As I said, this was just an attempt to test connecting from outside; 
> guess I'll have to wait until I get to work tomorrow and try it from 
> there (which is where I really want to connect from), it's just that if 
> it doesn't work I'll have to wait until I get home to change things - a 
> bit of a pain.

Note that with ssh(1), not only do you have to set up all of the port
forarding and so forth as you would do with any protocol, but you also
have to worry about the SSH host keys.  SSH gets extremely narked and
refuses to connect (for very good reason) if the hostname/IP number of
the machine it's connecting to doesn't match the host keys presented
to it.  This can be overcome by editing /etc/ssh/known_hosts or
~/.ssh/known_hosts to associate host keys and hostnames as required.

One other alternative you might find more flexible: instead of using
NAT to do the port forwarding, you can use ssh itself.  This does have
the advantage that you can both ssh into your NAT box and hence into
your private machines.  Use the '-L' ssh tunnelling option -- ie. you
first ssh into your NAT server where you run:

    ssh -L 2222:otherhost:22

Then when you ssh to port 2222 on your NAT box you should get
forwarded to port 22 



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040914/0bf2348d/attachment.bin

More information about the freebsd-questions mailing list