[kwlug-disc] Using SSH to authenticate

unsolicited unsolicited at swiz.ca
Sat Mar 13 19:26:32 EST 2010 

You will always need a second console. You are opening a session on 
RelayHost, through which you then get relayed when you ssh localhost 
(to RemoteHost). You have two distinct tunnel sets. (If you call the 
'unused' tunnel between you and RemoteHost a tunnel.)

The only way to do it in one command would be to have the ssh to 
RelayHost specify an initial command of ssh to RemoteHost - you'd be 
prompted for the RelayHost password, then immediately prompted for the 
RemoteHost password. If all you want is a console, this is perfectly 
viable. Except Paul said RelayHost is flaky.

OTOH, doing this would create a viable start to RemoteHost tunnelling 
to LocalHost (via an invocation of ssh LocalHost, background) - 
LocalHost picks up the phone, the direct tunnel is established. The 
first ssh could then be unwound leaving the background tunnel in place 
and other connections closed.

The tunnel from RemoteHost to LocalHost would drop when the last 
connection is dropped by LocalHost.

It would be easier, and probably just as safe, to open a port on the 
firewall directly to RemoteHost, and use certificates (key files).

An advantage of that scenario is you could dynamically map ports. i.e. 
While in ssh, ~ to get to an ssh prompt and add another L/R port 
mapping. If RemoteHost calls LocalHost in background, I don't think 
you can ~ to an ssh prompt. OTOH, you could then ssh back through the 
port, which Raul probably does, but things get even stranger, faster.


Richard Weait wrote, On 03/13/2010 6:45 PM:
> Thought I'd fill out the example a little more because this Just Isn't
> Intuitive To Me. I've tested this now and it Works For Me.
> 
> # set up the tunnel without privileged users
> # the tunnel is from HomeHost port 2222 to TargetHost port 22
> # we assume RelayHost is listening on 22, otherwise add -p RelayHostPortNum
> 
> ssh -L 2222:TargetHost:22 RelayUser at RelayHost
> 
> # response is prompt for RelayUser password:
> # this terminal will offer a prompt on RelayHost.
> # leave this connection open
> 
> # open another terminal on _HomeHost_
> # ssh to your side of the tunnel
> 
> ssh localhost -p 2222
> 
> # this terminal will prompt for "localhost" password
> # but the tunnel means that localhost:2222 is actually
> # TargetHost:22. Reply with TargetHost password.
> 
> There must be an option to open the tunnel in the background that
> removes the requirement for a second console but I'll leave that as a
> pro tip for somebody else.
> 
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list