From owner-freebsd-questions@FreeBSD.ORG Tue Sep 14 10:30:25 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6F9F16A4D0; Tue, 14 Sep 2004 10:30:25 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FBCA43D45; Tue, 14 Sep 2004 10:30:21 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i8EAUGxn044721 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Sep 2004 11:30:16 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i8EAUGsf044720; Tue, 14 Sep 2004 11:30:16 +0100 (BST) (envelope-from matthew) Date: Tue, 14 Sep 2004 11:30:16 +0100 From: Matthew Seaman To: Mark Ovens Message-ID: <20040914103016.GD43574@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Mark Ovens , freebsd-questions@freebsd.org References: <41460E03.8020408@freebsd.org> <41462266.9000404@mac.com> <41462708.3090405@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3Gf/FFewwPeBMqCJ" Content-Disposition: inline In-Reply-To: <41462708.3090405@freebsd.org> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 14 Sep 2004 11:30:16 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: Quick and simple ssh(1) question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 10:30:25 -0000 --3Gf/FFewwPeBMqCJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 14, 2004 at 12:02:32AM +0100, Mark Ovens wrote: > Chuck Swiger wrote: > >Mark Ovens wrote: > >>Is it correct that you can't ssh(1) between two machines on the same LA= N=20 > >>(using NAT) _via the Internet?_ > >> > >>Strange question I know, but I need to be able to access one of my=20 > >>machines, postie, remotely. I've got sshd(8) running and can ssh(1) to= =20 > >>it from a local machine using it's local hostname. However, since I onl= y=20 > >>have a single 'net connection here I tried to test connecting remotely= =20 > >>by ssh(1)'ing to my router's 'net-facing hostname but I get > >> > >> ssh: connect to host port 22: Connection refused > >> > >>Port 22 is forwarded to postie on the router. > > > >Given time and sufficient determination, you ought to be able to make th= is=20 > >work, but it's a real pain-- >=20 > [snip detailed info] >=20 > I think that answers my question - it won't work the way I'm trying it.= =20 > As I said, this was just an attempt to test connecting from outside;=20 > guess I'll have to wait until I get to work tomorrow and try it from=20 > there (which is where I really want to connect from), it's just that if= =20 > it doesn't work I'll have to wait until I get home to change things - a= =20 > bit of a pain. Note that with ssh(1), not only do you have to set up all of the port forarding and so forth as you would do with any protocol, but you also have to worry about the SSH host keys. SSH gets extremely narked and refuses to connect (for very good reason) if the hostname/IP number of the machine it's connecting to doesn't match the host keys presented to it. This can be overcome by editing /etc/ssh/known_hosts or ~/.ssh/known_hosts to associate host keys and hostnames as required. One other alternative you might find more flexible: instead of using NAT to do the port forwarding, you can use ssh itself. This does have the advantage that you can both ssh into your NAT box and hence into your private machines. Use the '-L' ssh tunnelling option -- ie. you first ssh into your NAT server where you run: ssh -L 2222:otherhost:22 Then when you ssh to port 2222 on your NAT box you should get forwarded to port 22=20 Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --3Gf/FFewwPeBMqCJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBRsg4iD657aJF7eIRAvtRAKCUfpK2L806H2K+E9wjlPGu6i4xyQCdGwKh mXxGVgTfUEzo9aYa70h5iL0= =b2/3 -----END PGP SIGNATURE----- --3Gf/FFewwPeBMqCJ--