[kwlug-disc] ssh and port forwarding

Rashkae rashkae at tigershaunt.com
Mon Dec 15 14:05:13 EST 2008

Robert P. J. Day wrote:
>   i have the following scenario:
>   host1  <---------->  host2  <--------->  host3
>   (ME)
> i want to be able to do the following from host1:
>   1) ssh directly and normally to host2 (trivial)
>   2) using host2 as a gateway, ssh from host1 to get to host3
> from the perspective of host1, host2 will be visible (through a
> corporate VPN, but still visible).  host3, on the other hand, will be
> "hiding" behind host2 on a totally different and internal network, so
> i have to use someone else as a gateway -- direct ssh from host1 to
> host3 is out of the question.
>   assume the normal stuff: that host1 has an ssh client, and both
> host2 and host3 are running an ssh server of some kind (probably
> dropbear, actually), and that the ssh server on host2 is set up to do
> port forwarding.
>   i've seen two solutions (local and remote forwarding) that involves
> doing all the work on host1 but i'd rather not do that -- i'd rather
> keep life on host1 simple, and centralize the forwarding configuration
> at host2.  so, as i read it, the direct ssh from host1 to host2 will
> still work fine, but what do i do at host2?
>   since host2 *will* be running dropbear, as i read, first, on host2,
> i'll invoke:
>    # dropbear -a
> so that dropbear is running in port forwarding mode.
>   in addition, on host2, i'll have to run:
>   # dbclient -L 1234:localhost:22 host3
> does that make sense?  so i can ssh from host1 to host2 normally, but
> if i want to sh from host1 to host3, i'll invoke:
>   $ ssh host2 1234
> which will get me to host2, which will then forward me on to port 22
> on host3.  am i on the right path here?  thanks.

Not sure about dbclient command, but I think you are on the *way* wrong

If you somehow configure ssh to Listen on port 1234 and forward that to
host3:22, ssh will dutifully forward all incoming connections on port
1234, not ssh connections.

If you want to connect host1 to host 3 through ssh, you do it through
the ssh client on host 1

You could, in theory, port forward from host1 to host2, and then use ssh
 to forward that port to host 3.  That would only be useful if the
intent was to encrypt the traffic between host 2 and host 3, (otherwise,
the packets would be in the clear between those 2).  That doesn't in any
way simplify the command needed from the client.

ssh -L locahost:1234:localhost:1234 host2


dbclient -L localhost:1234:localhost:22 host3

Be warned that anyone else with access to host2 would then be able to
forward traffic to host3.

However, if you don't need to encrypt between host2 and host3, then:

ssh -L localhost:1234:host3:22 will get you where you want to go.

There is no way to do this without touching options on host1.  After
all, host1 needs to be told to listen to port 1234, otherwise, none of
this works.

More information about the kwlug-disc mailing list