Re: Chaining SSH tunnels?
From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 05 Nov 2005 00:30:18 GMT
On 2005-10-30, Arnoud "Galactus" Engelfriet <firstname.lastname@example.org> wrote:
> Let's say I am on a machine called 'local', which is able to connect
> to 'middle1'. On 'middle1', I can connect to 'middle2' and from
> 'middle2' I can read my destination machine, 'dest'. I would like to
> establish a secure connection between 'local' and 'dest' such that
> there is no unencrypted traffic anywhere in between. Is this possible
> by chaining tunnels?
> This is what I tried to use:
> local$ ssh -L 2222:middle2:22 middle1
> local$ ssh -L 4444:dest:22 localhost -p 2222
> local$ ssh localhost -p 4444
> It does seem rather overkill, since there are now three levels
> of encryption between local and middle1. Is there a better way?
I prefer "stacking" connections rather than chaining them. If you have
netcat or similar on the middle machines, then in the client's
~/.ssh/config you put something like this:
ProxyCommand ssh middle1 nc %h %p
ProxyCommand ssh middle2 nc %h %p
This still multiple-encrypts, but the connection is secured end to end
and you don't have to manage listening port numbers The pros and cons
of both approaches have been discussed here several times before, check
the group archives.
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.