Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 5 Oct 2004 15:40:57 -0500 (EST)
From:      John Mills <johnmills@speakeasy.net>
To:        FreeBSD-questions <freebsd-questions@freebsd.org>
Cc:        Benjamin Walkenhorst <krylon@gmx.net>
Subject:   Re: reverse ssh
Message-ID:  <Pine.LNX.4.44.0410051456350.14885-100000@otter.localdomain>
In-Reply-To: <20041005224557.22c6334e@it.buh.tecnik93.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Freebies -

On Tue, 5 Oct 2004, Ion-Mihai Tetcu wrote:

> [ please don't loose context ]
 
> On Tue, 05 Oct 2004 19:45:38 +0200
> Benjamin Walkenhorst <krylon@gmx.net> wrote:
 
> > Micah Bushouse wrote:
> >
> > > I have a BSD box (home) sitting on an apartment complex network
> > > (dhcp/nat/firewall) that I don't control. I also have a BSD box (work)
> > > with a static IP sitting on my university's network.
> > > 
> > > Is there a way to open a ssh/other connection before I leave for work in
> > > the morning (from the home box to the work box), then travel to the
> > > university, sit at my desk and use this connection to get a terminal on
> > > my home machine? Is there any software out there that addresses this?
> > > Ideally it would involve ssh.
> > 
> > You could write a script that sends an email to you every morning
> > which contains your IP-address. *Encrypted*, of course!!!
 
> Since he's home machine is behind a NAT at what would knowing its
> (private) ip serve?

Look into 'man ssh' and check the '-R' option. I suggest a script be
written to run an 'ssh -R' login from the home box to the office box,
setting up the tunnel for reverse use. You (or !!_CAUTION_!! anyone else
logged into either box) can use the tunnel for whatever connects to it.

I suggest you connnect back to your home system's 'sshd' port and then you
will have to satisfy the home box's login authorization to get access
there (at the price of two levels of ssl wrappers, I suppose). The
designated remote port effectively becomes an extension of your local
'sshd' connection port on the office machine. Set the remote machine up
for RSA login from your home machine so you won't have to send the
password from your script.

Make sure the incoming port can get through your home firewall and the
apartment complex's router - that shouldn't be too stringent, as [I
_think_] it will look like 'reply' traffic to both of those filters,
rather than incoming requests. The firewall on your office system will see
them as incoming ssh requests, which I assume you now accept.

DISCLAIMER: I have a static IP at home, and have only done this the other
direction: exporting VNC $DISPLAY sessions from home to the outside world
as pseudo-X11 logins onto the home box. The tunnel is setup by my ssh
login from outside. (I know, I know -- a bit ugly, but it's easy to set
up.) For simplicity I scripted the login as:

sshTunnel:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
#!/bin/sh
echo "Connecting port :<local_port> to $1:<remote_port>"
ssh -C -g -L <local_port:$1:<remote_port> $1
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

You would be using '-R' instead of '-L' of course, and using appropriate 
port definitions.

I invoke my script as:
 $ sshTunnel <remote_host>

The life of the tunnel should the same as the life of that scripted ssh
login, which may influence what exactly you script.

Whatever I send to <local_port> is wrapped, sent, unwrapped, and passed to
<remote_host>:<remote_port>, and vice-versa.

REFINEMENTS:
 (1) In view of the !!_CAUTION_!! note above, you may want to create a
pair of low-privilege users on the two machines and have the script
connect _them_. The script should run with the home dummy-user's uid. This
should help limit the damage potential from an intruder. (I would call
this: 'making a virtue of necessity'.) You then ssh-connect _locally_ on
the office machine to 'ride' the tunnel back to your home machine as
yourself.
 (2)I bet someone who really understands tunneling could make this work
with only one layer of ssl wrappers, but I'm not that clever.
 
 - John Mills
   john.m.mills@alum.mit.edu



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0410051456350.14885-100000>