Port Forwarding -- Checking to be sure I understand it

I am providing support for some friends and family (I'm sure everyone knows
what I mean -- unpaid tech support you can't easily get out of), and a few
people are behind restrictive firewalls. With most of my family, I use
RealVNC. I have a dynamic IP address, so I use DynDNS for address and have
written scripts so they can just click and it'll start a RealVNC server and
connect to my system.

The problem is the few behind restrictive firewalls. I'm not a security or
networking person, so I've been reading up on this and I'd like it if I
could get some help verifying that what I've pieced together is correct.

For an easy example, I have one friend who cannot accept inbound connections
for RealVNC, so he has to use the RealVNC server and add me as a client.
From what I understand, if he uses ssh on port 443, the firewall will not
be able to tell that apart from HTTPS, so (since the firewall lets HTTPS
connections through), it should let the ssh connection through.

He's on Windows, and I've just found OpenSSH for Windows
(http://sshwindows.sourceforge.net/), but not installed it yet. (I
understand it uses the same command line and config options as SSH would on
*nix.) If I understand correctly, he can log into my computer with ssh (or
ssh for Windows, technically) and specify this:

ssh -L 5500:myaddress.dyndns.org:443 myaddress.dyndns.org

And it will connect to my computer (through my firewall) and he can log in
(or, as is likely, I can use a passwordless login). At that point, if I
understand, his port 5500 will be forwarded to my port 443.

I'm pretty sure I've got this right so far.

As I understand it, I don't have to add any strange config at this point to
get this to work. The part is user names. I can create a dummy account
for all my friends to login with that gives them minimal permissions (since
they won't be doing anything anyway!). Does that effect the forwarding?
If I'm running "vncviewer -listen -p443" on my account (and let's skip the
root-only access to ports < 1024 for now), will I still receive his
forwarded signal, on my account, while he's logged in via ssh on his
account? And do I have to change any config options for sshd on my system
(other than th make sure AllowTCPForwarding=yes)?

Now here's one last question: is there a way to set up this forwarding
without my friend actually logging in? I might use this from a Java class,
and would like for it to make the connection for forwarding, but I don't
want to open any additional windows on his system.

Thanks for any help on this!

Hal
.

Relevant Pages

  • Re: OpenSSH, Telnet, Windows Authentication and double-hops
    ... deployment on a Windows network. ... Does this mean that you are setting SSH port forwarding ... We're hitting an issue when we reach the SQL Server machine. ...
    (comp.security.ssh)
  • Re: Send xterm to remote workstation with OpenSSH
    ... i have gotten X forwarding to work in windows and in linux, ... in windows i used x-win32 or winaxe config, and on linux i was used to ... >> So after searching in FAQs, on the Web, on the O'Reilly SSH Book, I haven't found the answer. ...
    (SSH)
  • Re: Partial SNAFUs - X11Forwarding etc.
    ... to the base server machine via SSH, or it it also supposed to protect ... back "up the line" to the client machine? ... the ssh server host is compromised or otherwise untrustworthy, ... refrain from running the program via ssh X11 forwarding - there's no ...
    (comp.security.ssh)
  • Re: Whats the deal on the -X vs -Y thing?
    ... As a quick fix you could use something like this as your remote ssh ... chain is compromised (eg at either the tty layer, X11 forwarding port ... forwarding would not be needed on the intermediate hosts. ...
    (comp.security.ssh)
  • Re: Openssh Port Forwarding Confusion
    ... >Now for my Port forwarding question. ... So far what I have extracted about ssh port ... You connect to a port on the SSH client. ...
    (comp.security.ssh)