Talk:SSH Reverse Tunnel

From Gentoo Linux Wiki

Contents 1 If middle gives "Connection refused": 2 Avoiding Timeout: ClientAlive? or ServerAlive? 3 If you can logon to middle and middle can logon to destination isn't a Local tunnel easier? 4 Why do we need 2 connections for this?

[edit] If middle gives "Connection refused":

You may find (as I did) that, following these instructions, when you finally try to connect notebook to middle, you get:

 notebook$ ssh user@middle -p 10000
 ssh: connect to host middle port 10000: Connection refused

This is because middle is not yet listening for connections to the outside world on port 10000. AFAICT, the original ssh -R command only causes middle to listen on port 10000 on its local loopback. There are several ways to make it work as intended:

[edit] Avoiding Timeout: ClientAlive? or ServerAlive?

If I get this correctly, the connection we are trying to keep alive here is the one initiated by this command:

user@destination$ ssh -R 10000:localhost:22 middleuser@middle

Hence the client is "destination" and the server is "middle".

If you are setting up the ssh_config on "destination", it seems to me the correct option should be "ServerAliveInterval" rather than "ClientAlive" (we want client to check if server is alive).

On the other hand, if you edit sshd_config on "middle", you'd probably need to use ClientAliveInterval.

Note that I did not yet try it out, so I'm not really sure I got it right... --amit

[edit] If you can logon to middle and middle can logon to destination isn't a Local tunnel easier?

user@notebook$ ssh -NL10000:destination:22 middleuser@middle &
user@notebook$ ssh -p10000 destinationuser@127.0.0.1

That way you only use 1 host and don't need GatwayPorts enabled.

If you add a name like tunneled_dest to 127.0.0.1 in /etc/hosts, you can use

user@notebook$ ssh -p10000 destinationuser@tunneled_dest

and prevent known_hosts trouble with changing hostkeys for "127.0.0.1" if you use this to connect to many destinations.

[edit] Why do we need 2 connections for this?

I am failing to see how connecting to the middle machine on port 10000 is going to get us around any firewalls, unless the firewall is simply filtering by port number, in which case wouldn't the logical solution just be to change the SSH listening port on the destination machine? The only reason why I would think this would be necessary is if you are not the owner of the destination SSH server and do not have root access to change the port. If someone could clarify what the advantage of the middle machine is over simply changing the destination servers listening port to 100000 is that would be greatly appreciated.