RE: SSH Tunneling without console login
From: Joseph Spenner (joseph85750_at_yahoo.com)
Date: Fri, 25 Nov 2005 17:29:26 -0800 (PST) To: Jesse <email@example.com>, firstname.lastname@example.org
Another approach is to make the target system account
not have a standard shell. Instead, the target system
has a script that simply says/loops through a print
statement upon connection:
"You are connected to the system. Hit ctrl-c to close
Perhaps a sleep 30, then print again (for keepAlive
So, in your target system you'd set up a special
account just for this purpose. The entry in your
/etc/passwd might be something like:
You can also get clever in your authorized_keys so
that the client can only make specific port redirects.
--- Jesse <email@example.com> wrote:
> My problem is this:
> I'm using the remote forwarding command on PC1. (So
> that a port on PC2 is
> forwarded to a port on PC1.) Remote forwarding works
> fine, but unwanted is
> that the command will also login onto PC2. Unwanted
> because PC1 is not fully
> under my control (but PC2 is), so people on PC1 can
> find out about how to
> log into PC2 by looking at PC1 and get a shell
> At the moment I fixed this using Bitvise WinSSHD
> (Win32 SSH server
> software). This program has an option called "Permit
> terminal shell: No".
> Using this will cause the command to authenticate,
> but after that it will
> not give a shell prompt, only a black screen.
> So using that account of WinSSHD, people will able
> to authenticate, but will
> not be able to login in the shell.
> But when using an account of OpenSSH, people will
> also be able to login in
> the shell, which is unwanted. I only need SSH
> tunneling, but not SSH shell
> Of course I can use WinSSHD, but I'm looking for a
> solution using OpenSSH.
> -----Oorspronkelijk bericht-----
> Van: Thorsten Peter [mailto:firstname.lastname@example.org]
> Verzonden: vrijdag 25 november 2005 18:22
> Aan: Jesse
> CC: email@example.com
> Onderwerp: Re: SSH Tunneling without console login
> well you won't be able to open ssh tunnels, no
> matter what without
> logging in to the server. that's the way it works.
> i am not sure what your point is. maybe you wanna
> try what i do for
> tunneling purposes, i login to the remote server
> with the following command:
> ssh -fN user@remotehost -L
> localport:targetip:targetport (in your case
> -R for remote forwarding)
> -f forces ssh to go into background.
> -N makes it stop executing other commands (for
> tunneling purposes only)
> so what it does, it logs in to your remote server,
> as a background
> process. you can then just leave it running, log out
> of your local
> shell, or do whatever your want. but still you DO
> login to the remote
> console. just that you don't have the ssh login
> running as a foreground
> Jesse wrote:
> > Question:
> > Is it possible to use remote port forwarding
> (tunneling) without having to
> > login on the console?
> > Situation:
> > I have a server (PC1) which is running a SSH
> service behind a firewall. I
> > NOT have any control over the firewall, but I do
> want to access the SSH
> > service of PC1 from PC2 over the Internet.
> > Solution for the situation:
> > I'm using the following command on PC1 to let PC1
> make a SSH-tunnel to PC2
> > ssh -R 4000:localhost:22 account@PC2
> > And I have installed a SSH service on PC2 to make
> tunneling possible.
> > Same question in detail:
> > When I use the command above, it will make the
> tunnel, but I will also
> > PC1 login on the console of PC2. That last step is
> something I do not
> > PC1 should only make the tunnel to PC2, but should
> NOT login on the
> > of PC2.
> > Is this possible?
> > -Jesse
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.