[kwlug-disc] ssh and port forwarding

Mon Dec 15 14:45:01 EST 2008

Robert P. J. Day wrote:
> On Mon, 15 Dec 2008, Rashkae wrote:
> 
>> Rashkae wrote:
>>> Robert P. J. Day wrote:
>>>>   i have the following scenario:
>>>>
>>>>   host1  <---------->  host2  <--------->  host3
>>>>   (ME)
>>>>
>>>> i want to be able to do the following from host1:
>>>>
>>>>   1) ssh directly and normally to host2 (trivial)
>>>>   2) using host2 as a gateway, ssh from host1 to get to host3
>>>>
>>>> from the perspective of host1, host2 will be visible (through a
>>>> corporate VPN, but still visible).  host3, on the other hand, will be
>>>> "hiding" behind host2 on a totally different and internal network, so
>>>> i have to use someone else as a gateway -- direct ssh from host1 to
>>>> host3 is out of the question.
>>>>
>>>>   assume the normal stuff: that host1 has an ssh client, and both
>>>> host2 and host3 are running an ssh server of some kind (probably
>>>> dropbear, actually), and that the ssh server on host2 is set up to do
>>>> port forwarding.
>>>>
>>>>   i've seen two solutions (local and remote forwarding) that involves
>>>> doing all the work on host1 but i'd rather not do that -- i'd rather
>>>> keep life on host1 simple, and centralize the forwarding configuration
>>>> at host2.  so, as i read it, the direct ssh from host1 to host2 will
>>>> still work fine, but what do i do at host2?
>>>>
>>>>   since host2 *will* be running dropbear, as i read, first, on host2,
>>>> i'll invoke:
>>>>
>>>>    # dropbear -a
>>>>
>>>> so that dropbear is running in port forwarding mode.
>>>>
>>>>   in addition, on host2, i'll have to run:
>>>>
>>>>   # dbclient -L 1234:localhost:22 host3
>>>>
>>>> does that make sense?  so i can ssh from host1 to host2 normally, but
>>>> if i want to sh from host1 to host3, i'll invoke:
>>>>
>>>>   $ ssh host2 1234
>>>>
>>>> which will get me to host2, which will then forward me on to port 22
>>>> on host3.  am i on the right path here?  thanks.
>>>>
>> After typing all of that previous message, I just realized what you are
>> trying to do.. (duh moment for the day), and yes, you are absolutely
>> correct.  You can just ignore everything I wrote earlier.
> 
>   good, i was suddenly really worried.  actually, i tried the above
> and it appears to work.  go figure.
> 

There was no reason my commands wouldn't work, they were just a bit
unnecessary :)  (For some reason, I was overlooking that you were
forwarding an ssh connection, and not something cleartext.)

It might be worth mentioning that the way I outlined in my first e-mail
is the only way to go if you want host3 ssh to not be visible to the
internet, in case passwords are enabled and you aren't certain something
like test:test or root:password will never crop up.  (Although, being on
port 1234 should insulate you from most drive-by login attempts anyhow)