2

I am struggling with understanding if and how the following is possible.

Say that I have a machine T (target) which I want to access from remote (ideally via ssh).

T is behind a router/firewall R and I cannot forward port (e.g.) 22 of R to port 22 of T. In a word, no direct ssh access to T is possible.

Now say that

  • I have a machine A on which I have full control.

  • I can ssh from T to A, i.e.

      T:  ssh user@A

    succeeds.

Q1: can I use this to access shell of T from A? I.e., can I use the connection created from T to A, to use T from A?

   T ---> ssh ----> A          # this is possible               

   T <--- ? shell ? <---- A    # is this possible?

Q2: If Q1 is possible:

Let's say that I have a third machine L (e.g. my laptop), and I aim at having access to the shell of T from L. Can I ssh-tunnel A access to L?

   T ----> ssh ----> A <---- ssh < ---- L

   T <-------  ?? %&£€ ?? <------- L       # is this possible?

any help appreciated.

Acorbe
  • 143
  • Is A publicly reachable? – Eero Aaltonen Mar 27 '14 at 13:00
  • @EeroAaltonen, Yes it is publicly reachable – Acorbe Mar 27 '14 at 13:06
  • See http://unix.stackexchange.com/a/93351/22886 and links in http://unix.stackexchange.com/questions/93349/ssh-connection-into-lan-without-port-forwarding#comment141216_93349. Or, if you can forward any port (not necessarily 22) from the router to your target, you can save yourself the hassle with reverse tunnelling. – peterph Mar 27 '14 at 23:17

2 Answers2

1

This is of course possible.

Q1: reverse tunneling over ssh is possible ?

Yes. Here are some answers about reserve tunneling:

Q2: tunneling a reserved tunnel is possible ?

Yes, this is basically an ssh tunnel over a tunnel. Here are a few answers regarding tunnel into a tunnel:

Community
  • 1
Ouki
  • 5,962
1

I do this all the time, in the other direction. Firstly establish an reverse SSH tunnel from T to localhost on A, then tunnel from L to the A side of the AT tunnel, then use ssh to connect to the local part of the L-A tunnel, and you'll connect remotely through L-A-T.

In my example A is listening for ssh connections on port 22123.
Locally I use the username user, remotely it's user.name.
I have keys locally called ~/.ssh/A_id_rsa and ~/.ssh/T_id_rsa to connect to the 2 machines A and T respectively as user.name.

Here is a script to connect the T-A tunnel, which should be run on T.

#!/bin/bash

SSH_KEY="-i /home/user.name/.ssh/A_id_rsa"
REMOTE_USER="user.name"
GATEWAY_MACHINE="A.domain.com"
GATEWAY_SSH_PORT="22123"

ssh -N -R2201:127.0.0.1:22 -p ${GATEWAY_SSH_PORT} ${SSH_KEY} ${REMOTE_USER}@${GATEWAY_MACHINE}

Here is a script to connect the L-A tunnel, which should be run on L.

#!/bin/bash

SSH_KEY="-i /home/user/.ssh/A_id_rsa"
REMOTE_USER="user.name"
GATEWAY_MACHINE="A.domain.com"
GATEWAY_SSH_PORT="22123"

ssh -N -L2201:127.0.0.1:2201 -p ${GATEWAY_SSH_PORT} ${SSH_KEY} ${REMOTE_USER}@${GATEWAY_MACHINE}

Then I add the following to my localhost's /etc/hosts file, so I can refer to the local side of the tunnel as T:-

127.0.0.1          T

Then I have this script, in our example called /usr/local/bin/T to connect to it

#!/bin/bash

SSH_KEY="-i /home/user/.ssh/T_id_rsa"
REMOTE_USER="user.name"

ssh -p 2201 ${SSH_KEY} ${REMOTE_USER}@T

The T-A tunnel is reverse, so -R, the L-A tunnelr is local, so -L. The -N in the scripts, prevents them from starting a shell to A, so I normally run that, either with a & to run it in the background or press ctrl+Z and run bg to do it, after having entered the password to unlock A_id_rsa if I haven't got it loaded into my keychain already.

sibaz
  • 173
  • If you don't have access to T to start the script all the time, then I suggest you run it as a service, so there is always a tunnel back to T from A on :2201 – sibaz Mar 27 '14 at 16:23