Re: Reverse SSH tunelling

From: Abe (
Date: 08/27/04

  • Next message: L0stm4n: "Re: Reverse SSH tunelling"
    Date: Thu, 26 Aug 2004 22:12:17 -0700
    To: Raistlin Majere <>


    I had a similar problem. I solved it by setting a flag file in a
    central location that all the remote boxes could see.

    1) Copy the appropriate SSH public keys across to your central admin
    box. Add them to ~/.ssh/authorized_keys or authorized_keys2 files.
    Make sure the remote client can connect to you without a password.

    2) On a central FTP or HTTP site, set up a flag file. Mine is a simple
    flag.html and contains a 0 or a 1.

    3) For each client, write a cron script using wget or another tool to
    automatically check either for the existence of this file, or specific
    content. If the flag is set, then bring up a ssh connection. In
    addition to grabbing a remote port, issue a sleep command. This will
    keep the window of opportunity open.

    Here's my cron script:

    rm /root/.ssh/flag.html

    # GET NEW FLAG FILE /usr/local/bin/wget\
    -q http://206.x.y.z/flag.html -O /root/.ssh/flag.html

    read FLAG < /root/.ssh/flag.html

    if test $FLAG -eq 1

        exec /usr/bin/ssh -nfg -R 2222: -lroot 206.x.y.z -o\
    keepalive=yes sleep 60


    The -R 2222: is what does the reverse trick. We grab port
    2222 on the REMOTE machine and forward it to localhost:22

    4) When you want to connect to a specific machine, set the flag file.
    The remote cron will detect the flag and grab a port on your machine (2222).

    5) Now you need to ssh to localhost port 2222, and end up on the remote
    machine. You can add other ports to forward, too. The only problem
    I've seen is ssh will be confused with ssh to localhost if you've
    already ssh'd to it before. Simply remove it from your known_hosts file
    or use

    6) When done, make sure you change the flag file back. Otherwise,
    frequent ssh setup & teardowns will attract the attention of the
    security folk...

    I'd love to hear of a more elegant solution, maybe using ping or port
    knocking. I did it this way so an hourly ssh session wouldn't raise
    flags with the security guys, as well as getting through the firewall.
    Ftp/Http is a little more subtle.


  • Next message: L0stm4n: "Re: Reverse SSH tunelling"