Date: Tue, 05 Oct 2004 23:08:07 -0400 From: Micah Bushouse <bushous2@msu.edu> To: John Mills <john.m.mills@alum.mit.edu> Cc: FreeBSD-questions <freebsd-questions@freebsd.org> Subject: Re: reverse ssh Message-ID: <1097032086.8587.158.camel@localhost> In-Reply-To: <Pine.LNX.4.44.0410051456350.14885-100000@otter.localdomain> References: <Pine.LNX.4.44.0410051456350.14885-100000@otter.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2004-10-05 at 16:40, John Mills wrote: > Freebies - > > On Tue, 5 Oct 2004, Ion-Mihai Tetcu wrote: > > > [ please don't loose context ] > > > On Tue, 05 Oct 2004 19:45:38 +0200 > > Benjamin Walkenhorst <krylon@gmx.net> wrote: > > > > Micah Bushouse wrote: > > > > > > > I have a BSD box (home) sitting on an apartment complex network > > > > (dhcp/nat/firewall) that I don't control. I also have a BSD box (work) > > > > with a static IP sitting on my university's network. > > > > > > > > Is there a way to open a ssh/other connection before I leave for work in > > > > the morning (from the home box to the work box), then travel to the > > > > university, sit at my desk and use this connection to get a terminal on > > > > my home machine? Is there any software out there that addresses this? > > > > Ideally it would involve ssh. > > > > > > You could write a script that sends an email to you every morning > > > which contains your IP-address. *Encrypted*, of course!!! > > > Since he's home machine is behind a NAT at what would knowing its > > (private) ip serve? > > Look into 'man ssh' and check the '-R' option. I suggest a script be > written to run an 'ssh -R' login from the home box to the office box, > setting up the tunnel for reverse use. You (or !!_CAUTION_!! anyone else > logged into either box) can use the tunnel for whatever connects to it. > > I suggest you connnect back to your home system's 'sshd' port and then you > will have to satisfy the home box's login authorization to get access > there (at the price of two levels of ssl wrappers, I suppose). The > designated remote port effectively becomes an extension of your local > 'sshd' connection port on the office machine. Set the remote machine up > for RSA login from your home machine so you won't have to send the > password from your script. > > Make sure the incoming port can get through your home firewall and the > apartment complex's router - that shouldn't be too stringent, as [I > _think_] it will look like 'reply' traffic to both of those filters, > rather than incoming requests. The firewall on your office system will see > them as incoming ssh requests, which I assume you now accept. > > DISCLAIMER: I have a static IP at home, and have only done this the other > direction: exporting VNC $DISPLAY sessions from home to the outside world > as pseudo-X11 logins onto the home box. The tunnel is setup by my ssh > login from outside. (I know, I know -- a bit ugly, but it's easy to set > up.) For simplicity I scripted the login as: > > sshTunnel: > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > #!/bin/sh > echo "Connecting port :<local_port> to $1:<remote_port>" > ssh -C -g -L <local_port:$1:<remote_port> $1 >From home, I used: > ssh -C -g -R 2222:127.0.0.1:22 <university-static-ip> Then I made a separate ssh session into the school BSD box and executed this on the school box: > ssh -p 2222 127.0.0.1 After supplying credentials I had a terminal back at my apartment. Port 2222 is filtered to be only available to lo0. Thing of beauty. Excellent help... Thanks! ~Micah > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > > You would be using '-R' instead of '-L' of course, and using appropriate > port definitions. > > I invoke my script as: > $ sshTunnel <remote_host> > > The life of the tunnel should the same as the life of that scripted ssh > login, which may influence what exactly you script. > > Whatever I send to <local_port> is wrapped, sent, unwrapped, and passed to > <remote_host>:<remote_port>, and vice-versa. > > REFINEMENTS: > (1) In view of the !!_CAUTION_!! note above, you may want to create a > pair of low-privilege users on the two machines and have the script > connect _them_. The script should run with the home dummy-user's uid. This > should help limit the damage potential from an intruder. (I would call > this: 'making a virtue of necessity'.) You then ssh-connect _locally_ on > the office machine to 'ride' the tunnel back to your home machine as > yourself. > (2)I bet someone who really understands tunneling could make this work > with only one layer of ssl wrappers, but I'm not that clever. > > - John Mills > john.m.mills@alum.mit.edu > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1097032086.8587.158.camel>