From owner-freebsd-questions@FreeBSD.ORG Tue Oct 5 20:40:59 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5997D16A4CF for ; Tue, 5 Oct 2004 20:40:59 +0000 (GMT) Received: from mail3.speakeasy.net (mail3.speakeasy.net [216.254.0.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B4F843D54 for ; Tue, 5 Oct 2004 20:40:59 +0000 (GMT) (envelope-from johnmills@speakeasy.net) Received: (qmail 12758 invoked from network); 5 Oct 2004 20:40:58 -0000 Received: from dsl027-162-100.atl1.dsl.speakeasy.net (HELO otter.localdomain) ([216.27.162.100]) (envelope-sender ) by mail3.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 5 Oct 2004 20:40:57 -0000 Received: from localhost (jmills@localhost) by otter.localdomain (8.11.6/8.11.6) with ESMTP id i95Kewe14951; Tue, 5 Oct 2004 20:40:58 GMT X-Authentication-Warning: otter.localdomain: jmills owned process doing -bs Date: Tue, 5 Oct 2004 15:40:57 -0500 (EST) From: John Mills X-X-Sender: jmills@otter.localdomain To: FreeBSD-questions In-Reply-To: <20041005224557.22c6334e@it.buh.tecnik93.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Ion-Mihai Tetcu cc: Benjamin Walkenhorst Subject: Re: reverse ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: John Mills List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2004 20:40:59 -0000 Freebies - On Tue, 5 Oct 2004, Ion-Mihai Tetcu wrote: > [ please don't loose context ] > On Tue, 05 Oct 2004 19:45:38 +0200 > Benjamin Walkenhorst wrote: > > Micah Bushouse wrote: > > > > > I have a BSD box (home) sitting on an apartment complex network > > > (dhcp/nat/firewall) that I don't control. I also have a BSD box (work) > > > with a static IP sitting on my university's network. > > > > > > Is there a way to open a ssh/other connection before I leave for work in > > > the morning (from the home box to the work box), then travel to the > > > university, sit at my desk and use this connection to get a terminal on > > > my home machine? Is there any software out there that addresses this? > > > Ideally it would involve ssh. > > > > You could write a script that sends an email to you every morning > > which contains your IP-address. *Encrypted*, of course!!! > Since he's home machine is behind a NAT at what would knowing its > (private) ip serve? Look into 'man ssh' and check the '-R' option. I suggest a script be written to run an 'ssh -R' login from the home box to the office box, setting up the tunnel for reverse use. You (or !!_CAUTION_!! anyone else logged into either box) can use the tunnel for whatever connects to it. I suggest you connnect back to your home system's 'sshd' port and then you will have to satisfy the home box's login authorization to get access there (at the price of two levels of ssl wrappers, I suppose). The designated remote port effectively becomes an extension of your local 'sshd' connection port on the office machine. Set the remote machine up for RSA login from your home machine so you won't have to send the password from your script. Make sure the incoming port can get through your home firewall and the apartment complex's router - that shouldn't be too stringent, as [I _think_] it will look like 'reply' traffic to both of those filters, rather than incoming requests. The firewall on your office system will see them as incoming ssh requests, which I assume you now accept. DISCLAIMER: I have a static IP at home, and have only done this the other direction: exporting VNC $DISPLAY sessions from home to the outside world as pseudo-X11 logins onto the home box. The tunnel is setup by my ssh login from outside. (I know, I know -- a bit ugly, but it's easy to set up.) For simplicity I scripted the login as: sshTunnel: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= #!/bin/sh echo "Connecting port : to $1:" ssh -C -g -L $1 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= You would be using '-R' instead of '-L' of course, and using appropriate port definitions. I invoke my script as: $ sshTunnel The life of the tunnel should the same as the life of that scripted ssh login, which may influence what exactly you script. Whatever I send to is wrapped, sent, unwrapped, and passed to :, and vice-versa. REFINEMENTS: (1) In view of the !!_CAUTION_!! note above, you may want to create a pair of low-privilege users on the two machines and have the script connect _them_. The script should run with the home dummy-user's uid. This should help limit the damage potential from an intruder. (I would call this: 'making a virtue of necessity'.) You then ssh-connect _locally_ on the office machine to 'ride' the tunnel back to your home machine as yourself. (2)I bet someone who really understands tunneling could make this work with only one layer of ssl wrappers, but I'm not that clever. - John Mills john.m.mills@alum.mit.edu