By Bri Hatch.
Summary: Often you'll have firewalls or other network equipment that doesn't allow direct SSH access to machines behind it. Using a bit of trickery, you can get through without seemingly jumping through any hoops.
Last time I showed you a trick to seamlessly SSH 'through' firewalls
or other devices that don't allow direct SSH access to the machines
behind them, by 'bouncing' off that device. It requires that you
have SSH access to the intermediate host, and what happens is that
you set up your
nc -w 1 target_host 22
My goal was to be able to be at a command prompt and type
Many people pointed out
that I could have first established an SSH connection to the
intermediate host with an SSH forward set up, and then
So, let's optimise and secure our setup. Right now, you need to have shell access to the middle-man machine, and the ability to run any command you want. Plus, you either need to type the password for it, or you need to have key-based trust enabled.
What I'd prefer is that you can execute the
So let's take a look at my
$ grep ncssh $HOME/.ssh/authorized_keys command="/home/bri/bin/ncssh" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAp8 r5qo11NpKSRig6nDXpxgDl2AAkc92HXhorRo0ubgvNpnVbUiXquSZ8VdPMiShOuTe1bc jQgIrFuFIASLMa2UMk21msyv9FDG59FCZ4Efr8zTXl1y+vG1TgwynenwiMDekPqcz/Z0 kJbrWjIF0PIpSVdm3aqGSMOgQ7Pm1X87iz2nV1uQV4hMt06= ncssh-proxy-key
You'll note the
#!/usr/bin/perl # # ncssh # # Server-side program to allow clients to run ncssh-proxy # or simply 'ssh ... nc -w 1 ipaddr 22' and 'bounce' off # this host. # # BUGS: # Only allows IP addresses. If that annoys you, # change $IPADDR pattern below. # # Ditto for the destination port. # # Copyright 2003,2004 Bri Hatch
This program is very simple
-- it takes the original command (supplied by the
$ head $HOME/.ssh/config Host machine1 Hostname machine1 HostKeyAlias machine1 Identity /path/to/ncssh-proxy-key ProxyCommand netcat-proxy-command firewall.my_network.com 192.168.1.1 Host machine2 Hostname machine2 HostKeyAlias machine2 Identity /path/to/ncssh-proxy-key ProxyCommand netcat-proxy-command firewall.my_network.com 192.168.1.2 ...
(This configuration uses the netcat-proxy-command script shown last time.)
So, using this system, you have the following situation:
All told, a paranoid and yet functional solution.
Next time we'll do one more enhancement - make it possible to have any user on the client machine get access to the Identity/PubKey that's necessary to bounce off the middleman. This will allow anyone to log into this machine, and without setting up any keys or configuration, log into the target machines transparently.
My response to the LocalForward Solution
It's possible to use an SSH
$ ssh -f intermediatehost -L 9999:destinationhost:22 sleep +1d $ ssh localhost -p 9999
This is a completely legitimate way to do it. The first command
logs into intermediatehost, and sets up a
What's the problem with using the forwarding method? Well, it requires you run the tunnel command first, or set up a daemon to keep it running all the time. You don't get the benefit of simplicity - running one command that contains all the setup that's necessary.
Want a free copy of Hacking Linux Exposed, Third Edition?
HLEv3 doesn't exist yet. We haven't written it. But it's time to get started. Do you have anything new you'd like to see covered in more detail, or removed entirely? Anything new and interesting you'd like to see?
If you have ideas you'd like to share, email me. I'll send out a copy of the book, once it's down in dead-tree format, to one lucky person picked at random from the useful suggestions.
 Simple, and well commented, I hope.
 I had a few folks complain that I should not assume your SSH server runs on port 22, so please change the $SSHPORT value in the script as appropriate.
 Send me email directly at firstname.lastname@example.org, don't reply to this mailing list.
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He's simply too tired to write anything interesting down here right now. Bri can be reached at email@example.com.
Copyright Bri Hatch, 2004
This is the September 23, 2004 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Securityfirstname.lastname@example.org.