From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 14 10:30:25 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id A6F9F16A4D0; Tue, 14 Sep 2004 10:30:25 +0000 (GMT)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4FBCA43D45; Tue, 14 Sep 2004 10:30:21 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	i8EAUGxn044721
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 14 Sep 2004 11:30:16 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)i8EAUGsf044720;
	Tue, 14 Sep 2004 11:30:16 +0100 (BST)	(envelope-from matthew)
Date: Tue, 14 Sep 2004 11:30:16 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Mark Ovens <marko@freebsd.org>
Message-ID: <20040914103016.GD43574@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	Mark Ovens <marko@freebsd.org>, freebsd-questions@freebsd.org
References: <41460E03.8020408@freebsd.org> <41462266.9000404@mac.com>
	<41462708.3090405@freebsd.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="3Gf/FFewwPeBMqCJ"
Content-Disposition: inline
In-Reply-To: <41462708.3090405@freebsd.org>
User-Agent: Mutt/1.4.2.1i
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6
	(smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 14 Sep 2004 11:30:16 +0100
	(BST)
X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version
	0.75l	on smtp.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.64
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: freebsd-questions@freebsd.org
Subject: Re: Quick and simple ssh(1) question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2004 10:30:25 -0000


--3Gf/FFewwPeBMqCJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 14, 2004 at 12:02:32AM +0100, Mark Ovens wrote:
> Chuck Swiger wrote:
> >Mark Ovens wrote:
> >>Is it correct that you can't ssh(1) between two machines on the same LA=
N=20
> >>(using NAT) _via the Internet?_
> >>
> >>Strange question I know, but I need to be able to access one of my=20
> >>machines, postie, remotely. I've got sshd(8) running and can ssh(1) to=
=20
> >>it from a local machine using it's local hostname. However, since I onl=
y=20
> >>have a single 'net connection here I tried to test connecting remotely=
=20
> >>by ssh(1)'ing to my router's 'net-facing hostname but I get
> >>
> >>  ssh: connect to host <router_hostname> port 22: Connection refused
> >>
> >>Port 22 is forwarded to postie on the router.
> >
> >Given time and sufficient determination, you ought to be able to make th=
is=20
> >work, but it's a real pain--
>=20
> [snip detailed info]
>=20
> I think that answers my question - it won't work the way I'm trying it.=
=20
> As I said, this was just an attempt to test connecting from outside;=20
> guess I'll have to wait until I get to work tomorrow and try it from=20
> there (which is where I really want to connect from), it's just that if=
=20
> it doesn't work I'll have to wait until I get home to change things - a=
=20
> bit of a pain.

Note that with ssh(1), not only do you have to set up all of the port
forarding and so forth as you would do with any protocol, but you also
have to worry about the SSH host keys.  SSH gets extremely narked and
refuses to connect (for very good reason) if the hostname/IP number of
the machine it's connecting to doesn't match the host keys presented
to it.  This can be overcome by editing /etc/ssh/known_hosts or
~/.ssh/known_hosts to associate host keys and hostnames as required.

One other alternative you might find more flexible: instead of using
NAT to do the port forwarding, you can use ssh itself.  This does have
the advantage that you can both ssh into your NAT box and hence into
your private machines.  Use the '-L' ssh tunnelling option -- ie. you
first ssh into your NAT server where you run:

    ssh -L 2222:otherhost:22

Then when you ssh to port 2222 on your NAT box you should get
forwarded to port 22=20

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--3Gf/FFewwPeBMqCJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBRsg4iD657aJF7eIRAvtRAKCUfpK2L806H2K+E9wjlPGu6i4xyQCdGwKh
mXxGVgTfUEzo9aYa70h5iL0=
=b2/3
-----END PGP SIGNATURE-----

--3Gf/FFewwPeBMqCJ--