Re: Initiate SSH session from other side?

"dspfun" <dspfun@xxxxxxxxxxx> writes:
Is it possible to somehow trigger an SSH session from inside a network,
so that I can use an SSH session from outside the network into the
network? For example by having a program (crontab) or something
initiating the SSH session from inside the network to a specific
IP-address and port number? The problem is that it is not possible to
directly ssh into the network from outside the network.

I believe you could setup an ssh session from inside to outside
machine. As part of that session, try including port forwarding, of
say port 6666 of the outside box to the inside box port 22. See the
man page for ssh and look at the -R option.

insidebox$ ssh -R6666:127.0.0.1:22 outsideusername@xxxxxxxxxxxxxxxxxx

This will forward all traffic hitting outsidebox port 6666 to port 22
of the insidebox.

Then, if you have an ssh server setup on the inside box,

outsidebox$ ssh -p 6666 insideboxusername@xxxxxxxxx

I think would get you where you want to go.

Yup, all correct. The only remaining problem is what to do when the ssh
connection goes down, as they often do. You want the client to reestablish
the connection automatically. The tool for that is autossh:
http://www.harding.motd.ca/autossh/ . autossh starts an ssh session, then
periodically sends data through a loop of port forwardings over the ssh
tunnel. If the data doesn't come back, it concludes that the session is
dead, kills it, and starts a new one.

I have autossh installed as a service under Cygwin. It starts at boot, and
sets up port forwardings, both from inside to out (-L) and from outside to
in (-R). Now that it's set up I don't have to think about it at all; the
port forwardings are just there, all the time. I'm using one right now to
read and reply to your message.

Of course a setup of that kind requires an unattended login on the server.
Unattended logins bring risks, but the risks can be minimized. The snail
book chapter 11 talks about it.

Good luck,
Andrew.

--
To reply by email, change "deadspam.com" to "alumni.utexas.net"
.

Relevant Pages

  • Re: "Dont panic"?
    ... > I'm not sure what you mean by "public access through ssh". ... But I don't think reporting port scans is a clear win for anyone. ... >> port scan reports back to an ISP a lot of people time and network bandwidth ...
    (comp.security.ssh)
  • ssh, firewall, port forwarding
    ... I have a bit of trouble with ssh, hopefully you will have some tips ... Behind that device I have a private network of 10.0.0.x. ... the internet connection on both PCs works fine. ... We configured port forwarding on the DSL modem, ...
    (comp.unix.bsd.freebsd.misc)
  • Port forwarding to a linux box with a D-Link 302G problem
    ... ssh and Apache running on a linux server on my local ... a windows box on the local network. ... I have tried to setup port forwarding for ...
    (comp.os.linux.networking)
  • server services problems
    ... I can ssh within the linux machine to itself. ... Networking is all set up properly, as I can see the rest of the network ... But when I port scan I don't see anything open. ... xinetd service but still nothing shows up on a port scan. ...
    (comp.os.linux.networking)
  • Re: ssh, firewall, port forwarding
    ... > I have a bit of trouble with ssh, hopefully you will have some tips ... Behind that device I have a private network of 10.0.0.x. ... > We configured port forwarding on the DSL modem, ... or if I have a sort of default firewall on my ...
    (comp.unix.bsd.freebsd.misc)