Re: Reverse SSH tunelling

From: Abe (abe_at_abeowitz.com)
Date: 08/27/04

  • Next message: L0stm4n: "Re: Reverse SSH tunelling"
    Date: Thu, 26 Aug 2004 22:12:17 -0700
    To: Raistlin Majere <raistlin@majere.net>
    
    

    Raist,

    I had a similar problem. I solved it by setting a flag file in a
    central location that all the remote boxes could see.

    1) Copy the appropriate SSH public keys across to your central admin
    box. Add them to ~/.ssh/authorized_keys or authorized_keys2 files.
    Make sure the remote client can connect to you without a password.

    2) On a central FTP or HTTP site, set up a flag file. Mine is a simple
    flag.html and contains a 0 or a 1.

    3) For each client, write a cron script using wget or another tool to
    automatically check either for the existence of this file, or specific
    content. If the flag is set, then bring up a ssh connection. In
    addition to grabbing a remote port, issue a sleep command. This will
    keep the window of opportunity open.

    Here's my cron script:
    --------------------------------------------------------------
    #!/bin/sh

    # DELETE OLD FLAG FILE
    rm /root/.ssh/flag.html

    # GET NEW FLAG FILE
    http_proxy=ncache.entp.attws.com:8080 /usr/local/bin/wget\
    -q http://206.x.y.z/flag.html -O /root/.ssh/flag.html

    read FLAG < /root/.ssh/flag.html

    # IF FLAG FILE CONTAINS "1" THEN SETUP SSH CONNECTION, OTHERWISE EXIT
    if test $FLAG -eq 1
    then

        exec /usr/bin/ssh -nfg -R 2222:127.0.0.1:22 -lroot 206.x.y.z -o\
    keepalive=yes sleep 60

    fi
    -----------------------------------------------------------

    The -R 2222:127.0.0.1:22 is what does the reverse trick. We grab port
    2222 on the REMOTE machine and forward it to localhost:22

    4) When you want to connect to a specific machine, set the flag file.
    The remote cron will detect the flag and grab a port on your machine (2222).

    5) Now you need to ssh to localhost port 2222, and end up on the remote
    machine. You can add other ports to forward, too. The only problem
    I've seen is ssh will be confused with ssh to localhost if you've
    already ssh'd to it before. Simply remove it from your known_hosts file
    or use 127.0.0.1.

    6) When done, make sure you change the flag file back. Otherwise,
    frequent ssh setup & teardowns will attract the attention of the
    security folk...

    I'd love to hear of a more elegant solution, maybe using ping or port
    knocking. I did it this way so an hourly ssh session wouldn't raise
    flags with the security guys, as well as getting through the firewall.
    Ftp/Http is a little more subtle.

    -Abe


  • Next message: L0stm4n: "Re: Reverse SSH tunelling"