HowTo: Create a Reverse SSH Tunnel (Page 1 of 1)
Written by
Steve Lake
Posted on: Jun 20, 2008 at 01:06pm
Section:
Tutorials
Printer Friendly Version
Legacy URL
There are times in your life that you may find
yourself in need of accessing some files on your office computer from home, but unable to
due to your company employing a firewall to protect their network from hackers.
Since a snowball has a better chance of surviving in hell than you do of getting your
network administrator to open a port in the firewall so you can SSH into your work
computer from home, you're going to need to come up with another way to get access to your
machine. This is where a Reverse SSH Tunnel will come in handy. The command to
do this is extremely simple. From your work computer, type the following:
ssh -l username -nNT -R 1100:172.16.42.80:22 12.24.79.186
That's it. Just replace each of the red highlighted items with the appropriate
local numbers and you're all set. Now, before I leave you totally confused as to
what each of these do, let me break this down so you understand it better.
Username - Obviously this is your non-root user at home. So if
you login to your BSD or Linux box with the username "bobwhite", you'd replace
"username" above with "bobwhite".
1100: - This will be the local port on your home computer you
will connect to. I'll explain more how to use this later. But you'll want to
make sure it's a port other than what you have SSH listening on. SSH normally
listens on port 22, but if you've moved it to say, port 300, then you won't want this port
ID to be 300. 1100 is a pretty good number so you can be sure not to step on the toes of
any other services running.
172.16.42.80:22 - This is the ip address and
local port on your work computer. So if your work computer has the IP address of
172.16.42.80, then you'd enter that there. Or for example, if your IP was
10.0.23.56, you'd use that instead. Now as a side note, you can use your work
computer as a middleman for connecting to another machine inside the firewall rather than
your own. By changing the IP and port number to the one used by the machine of
choice you'd rather connect to, you will be able to ssh into that other machine from home
without first having to stop at your own machine. The kicker is, if you want to get
into your machine later on, you'll either need to restart the ssh session on your work
computer, or ssh back to it from the machine you got forwarded to.
12.24.79.186 - This will be the IP address of
your workstation or server at home you're connecting into.
Well, that's pretty much it. There are two additional
commands you'll need to use if you're, A) connecting to your machine at home through a
port other than 22, and/or B) if you're using an SSH static public/private key. To
do either of these, you'll need to add the following options to your ssh command line:
-p 300 - The "-p" tells SSH that you
want to specify a port. 300 is of course an example of whatever your home ssh server
listens on.
-i id_dsa - The "-i" command tells SSH that you want to use
an "identity" file (aka a public/private keypair) to connect to the remote
server rather than an automatically generated one. This is important if you've setup
your sshd_config file similar to the configuration shown here.
Once the connection is established from your work computer, you should be able to
connect from home anytime you want. Just remember two things. The first is to
consider using AutoSSH to keep the connection alive in case it should drop, and the second
is that you've technically just opened a hole through the firewall and into your network
for the world to exploit. Now the likelihood of someone exploiting it is very slim
to none, but there's still that chance, so don't get all whilly nilly with it when you use
it. Only use it on nights when you expect to have a need to connect to your machine
and shut it off during the day while you're at work.
Also, another note of interest. When you start the session, you'll need to do one
of three things. Leave the console window open with the session running, do the command
and follow it with an & sign to allow the process to become separated from the console
so that it can allow you to do other things while it's running (you'll still need to keep
the console window open when you're done or it'll kill the session), or start a screen
session and start this process in there and then detach the screen session to leave it
running.
And one other thing, when the command starts, you won't get any feedback that it's
running. At most you'll be asked for your passkey for your public key file, or your
login credentials. After that it will act like a hung process that's not doing
anything, but actually it's fine. To test your tunnel, just open a second console window and
ssh to your home computer. Once in, ssh to localhost and port 1100 (or whatever port
you chose) and login to your work computer. If you did it right, you should now find
yourself ssh'ed into your work PC.
From home all you'll need to do is ssh either to localhost (if you're on the same
machine your work PC is ssh'ed into) or the IP of the machine you connected to from work
on the IP you specified and you will be able to login to your machine at work. It's just
that simple. You're essentially riding an existing ssh session backwards to your
computer at work. Well, that's it. I hope you find this useful, and if you
have any questions, please ask in the forums.
|
Average vistor rating: 4.6 out of 5 (15 total votes) | |
|
Latest Articles
Upcoming Shows and Cons
Announcements
There are no current announcements.
How often do you change distros?
Latest Releases
(courtesy of Distrowatch)
More
|
