SSH Tunneling On Demand

From: Paul Coiner (orrious_at_yahoo.com)
Date: 09/27/05 

Date: 26 Sep 2005 17:16:01 -0700

I have seen one or two posts regarding this topic but none have
produced results. I am looking to create an ssh tunnel to forward
unsecure traffic over. There is no way within the application to
script a ssh tunnel to establish prior to communication. The one
promising "solution" involved using inetd to solve the problem. I have
adapted this to use xinetd since it is more main stream now.

Here is what has been done thus far:

Configured and tested ssh with RSA authentication so I'm not prompted
for a password.

Add to:
/etc/services
ssh-nessus 20000/tcp

Created:
/etc/xinetd.d/ssh-nessus

service ssh-smtp
{
        flags = REUSE
        protocol = tcp
        socket_type = stream
        wait = no
        user = root
        server = /usr/bin/ssh
        server_args = -T -v root@10.1.1.120 -L 20000:localhost:1241
        disable = no
}

When I telnet localhost 20000 the ssh tunnel establishes but will fails
to setup the tunnel. Reason for this is xinetd is already listening to
this port and ssh can't bind to it.

The question:
Is it possible to identify the socket that is created when xinetd
accepts the connection? Can we pass this socket to ssh for use in
setting up the tunnel? Or is there a better way to go about this?

I have seen a couple comments where perl was used with the Net::libcap
library to listen for the communication when it tried to establish, if
the tunnel wasn't up, it would bring it up. However, if there was
congestion on the link, packets would be lost and there would be a
possibility of missing the trigger to establish the ssh tunnel. I
would preffer not do go about setting the on-demand tunnel up this way.

Any sugestions would be greatly appreciated.