From owner-freebsd-questions@FreeBSD.ORG Wed Oct 6 03:08:12 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9E9416A4CE for ; Wed, 6 Oct 2004 03:08:12 +0000 (GMT) Received: from sys29.mail.msu.edu (sys29.mail.msu.edu [35.9.75.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E9BA43D45 for ; Wed, 6 Oct 2004 03:08:12 +0000 (GMT) (envelope-from bushous2@msu.edu) Received: from [65.42.16.175] (helo=[10.4.10.176]) by sys29.mail.msu.edu with asmtp (Exim 4.32 #22) (TLSv1:AES256-SHA:256) id 1CF29y-0003Jh-6N; Tue, 05 Oct 2004 23:08:11 -0400 From: Micah Bushouse To: John Mills In-Reply-To: References: Content-Type: text/plain Message-Id: <1097032086.8587.158.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Tue, 05 Oct 2004 23:08:07 -0400 Content-Transfer-Encoding: 7bit X-Virus: None found by Clam AV cc: Benjamin Walkenhorst cc: FreeBSD-questions Subject: Re: reverse ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Oct 2004 03:08:12 -0000 On Tue, 2004-10-05 at 16:40, John Mills wrote: > Freebies - > > On Tue, 5 Oct 2004, Ion-Mihai Tetcu wrote: > > > [ please don't loose context ] > > > On Tue, 05 Oct 2004 19:45:38 +0200 > > Benjamin Walkenhorst wrote: > > > > Micah Bushouse wrote: > > > > > > > I have a BSD box (home) sitting on an apartment complex network > > > > (dhcp/nat/firewall) that I don't control. I also have a BSD box (work) > > > > with a static IP sitting on my university's network. > > > > > > > > Is there a way to open a ssh/other connection before I leave for work in > > > > the morning (from the home box to the work box), then travel to the > > > > university, sit at my desk and use this connection to get a terminal on > > > > my home machine? Is there any software out there that addresses this? > > > > Ideally it would involve ssh. > > > > > > You could write a script that sends an email to you every morning > > > which contains your IP-address. *Encrypted*, of course!!! > > > Since he's home machine is behind a NAT at what would knowing its > > (private) ip serve? > > Look into 'man ssh' and check the '-R' option. I suggest a script be > written to run an 'ssh -R' login from the home box to the office box, > setting up the tunnel for reverse use. You (or !!_CAUTION_!! anyone else > logged into either box) can use the tunnel for whatever connects to it. > > I suggest you connnect back to your home system's 'sshd' port and then you > will have to satisfy the home box's login authorization to get access > there (at the price of two levels of ssl wrappers, I suppose). The > designated remote port effectively becomes an extension of your local > 'sshd' connection port on the office machine. Set the remote machine up > for RSA login from your home machine so you won't have to send the > password from your script. > > Make sure the incoming port can get through your home firewall and the > apartment complex's router - that shouldn't be too stringent, as [I > _think_] it will look like 'reply' traffic to both of those filters, > rather than incoming requests. The firewall on your office system will see > them as incoming ssh requests, which I assume you now accept. > > DISCLAIMER: I have a static IP at home, and have only done this the other > direction: exporting VNC $DISPLAY sessions from home to the outside world > as pseudo-X11 logins onto the home box. The tunnel is setup by my ssh > login from outside. (I know, I know -- a bit ugly, but it's easy to set > up.) For simplicity I scripted the login as: > > sshTunnel: > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > #!/bin/sh > echo "Connecting port : to $1:" > ssh -C -g -L $1 >From home, I used: > ssh -C -g -R 2222:127.0.0.1:22 Then I made a separate ssh session into the school BSD box and executed this on the school box: > ssh -p 2222 127.0.0.1 After supplying credentials I had a terminal back at my apartment. Port 2222 is filtered to be only available to lo0. Thing of beauty. Excellent help... Thanks! ~Micah > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > > You would be using '-R' instead of '-L' of course, and using appropriate > port definitions. > > I invoke my script as: > $ sshTunnel > > The life of the tunnel should the same as the life of that scripted ssh > login, which may influence what exactly you script. > > Whatever I send to is wrapped, sent, unwrapped, and passed to > :, and vice-versa. > > REFINEMENTS: > (1) In view of the !!_CAUTION_!! note above, you may want to create a > pair of low-privilege users on the two machines and have the script > connect _them_. The script should run with the home dummy-user's uid. This > should help limit the damage potential from an intruder. (I would call > this: 'making a virtue of necessity'.) You then ssh-connect _locally_ on > the office machine to 'ride' the tunnel back to your home machine as > yourself. > (2)I bet someone who really understands tunneling could make this work > with only one layer of ssl wrappers, but I'm not that clever. > > - John Mills > john.m.mills@alum.mit.edu > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >