On Mon, Oct 27, 2008 at 15:37:38 +0100, Jelle de Jong wrote: > Hello everybody, > > I have been trying to create some sh tunneling commands that would allow > me to create a ssh session to a machine behind an firewall/nat from a > machine behind a firewall/nat but with a public server in between. I > have spent a day trying to figure things out but without success. So I > wanted to ask for some help to get the right command...
[...] > question: how can admin0 and admin1 get a ssh session with user0 to > provide remote support? > > what are the exact ssh commands and there sequences for user0, admin0 > and admin1? > > +----------------+ +----------+ +--------------+ > +----------+ > | user0 |--------| firewall |--------| internet www |--------| > firewall | > | ip: unknown | +----------+ +--------------+ > +----------+ > | ssh access to: | | | > | server0 | +----------+ > +---------------------+ > +----------------+ | firewall | | server0 > | > +----------+ | ip: > 84.245.3.195 | > +----------------+ | | provided > access to: | > | admin0 |------------------------------------+ | user0 > | > | ip: unknown | | admin0 > | > | ssh access to: | | admin1 > | > | server0 | > +---------------------+ > +----------------+ | > | > +----------------+ | > | admin1 |----------------------------------------------------------+ > | ip: unknown | > | ssh access to: | > | server0 | > +----------------+ > > All systems are using Debian Linux sid or lenny, and no firewall can be > changed so only outgoing connection are allowed with exception of the > firewall of server0 I think this has to be done using remote port forwarding on user0 to break through the firewall: ssh -N -R 22222:localhost:22 server0 If you run this command on user0 then an ssh connection is established that forwards port 22222 on server0 to port 22 on user0. Obviously, this means that you have to set up user0 in such a way that a user with access to that computer can initiate the support session by running that command, or you use a cron job, or you configure it as a permanent connection that is established whenever user0 boots up. (Note that the administrator of user0's firewall might notice what you are doing and he/she might not like that you poke a permanent hole into the firewall.) With the port forward via ssh in place, it should be possible to ssh into server0 from admin0 or admin1 and once you have your the shell on server0, you run ssh -p 22222 localhost which will establish an ssh session to port 22222 of server0, meaning that you connect via the ssh tunnel to port 22 of user0 (which I assume is the port on which user0's ssh server listens). I am not entirely sure if I have all the syntax correct, though. It may be possible to simplify the two-step ssh chain admin0/1 -> server0 ->user0 by using ProxyCommand with netcat, see "man ssh_config". -- Regards, | http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
