3

SSH "reverse" ProxyCommand covered

Workstation -> Intermediate <- Server

my situation is the exact opposite...

Workstation <- Intermediate -> Server

I'd like to ssh from workstation to server but Server is only accessible from Intermediate. I can physically access the very limited Intermediate but while it is perfectly capable of doing basic network operations it is by no means adequate for work. It has a OpenSSH client on it but no OpenSSH server and getting one is ... difficult.

Workstation is not limited. It is running a Windows 10 Pro 19042 host and a Linux VM (WSL2). All sorts of witchcraft and wizardry is welcome there, we have CPU cycles and I/O to spare by the bucketload.

Final footnote: adding more network adapters is possible, both Intermediate and Workstation have USB ports. (Workstation even has Thunderbolt should that be necessary although I can't imagine how it'd be.)

chx
  • 3,903
  • 1
    You might need to do the effort of installing an OpenSSH server on Intermediate. – harrymc Aug 20 '21 at 16:17
  • The best solution depends on what you can actually do on "Intermediate" (like how "difficult" installing an OpenSSH server is, if you can use netcat, or socat), how easy it is to ssh from "Intermediate" to "Workstation", and what other tunneling options you have, which in turn depends on why Server is only accessible from "Intermediate" in your setup. All of which is not explained in the question. At least give some details about "Intermediate". – dirkt Aug 22 '21 at 08:12

3 Answers3

0

To connect Workstation -> Intermediate (W->I) as you want to do, you need some kind of server in I.
Note: A reverse SSH tunnel helps you overcome ("extrinsic") barriers set by firewalls, not the ("intrinsic") barrier of an absence of SSH server.

There is no OpenSSH server... check if there are other servers. There might be some other SSH server (unlikely). If there is a telnet server (also unlikely), you could use this. Note that telnet was removed from Windows Server 2012 R2 / Windows 10 (also this), but you could still install it. Security may be a concern, though.

Socat is yet another alternative. I am not sure you could then ssh I->S, but if you clarify you have this option available, we could try working it out.

Netcat (not encrypted) is yet another option. The same comment as above applies.

It is useful to know which OS you have in I.

sancho.s ReinstateMonicaCellio
  • 5,555
  • Based on https://hobo.house/2016/06/20/fun-and-profit-with-reverse-ssh-tunnels-and-autossh/ I was hoping I could use a I->W reverse tunnel and then use ProxyCommand ssh -W "server:%p" intermediate to connect, I just can't quite work out the details. – chx Aug 22 '21 at 09:22
  • Could you pinpoint the difference between this and the link you posted in the OP? See the Note in EDITed anwer. – sancho.s ReinstateMonicaCellio Aug 22 '21 at 13:07
0

A way round this that may work is on Intermediate run:

ssh -L 2222:localhost:22 -g serveruser@Server

The -g option allows remote hosts to connect to local forwarded ports. Make sure port 2222 is allowed through Intermediate's firewall if it has one. Then on Workstation run:

ssh -p 2222 serveruser@Intermediate

If that doesn't work, then on Intermediate try:

ssh -R 2222:Server:22 workstationuser@Workstation

Then on Workstation run:

ssh -p 2222 serveruser@localhost
Aenfa
  • 539
  • 1
    I am hitting "channel 2: open failed: administratively prohibited: open failed". I am afraid this might be from server :( – chx Aug 27 '21 at 07:23
  • Ensure that Server has AllowTcpForwarding yes and PermitOpen any in /etc/ssh/sshd_config. The other thing is try using 127.0.0.1 instead of localhost. – Aenfa Aug 27 '21 at 11:00
  • I do not control server... – chx Aug 28 '21 at 03:42
0

This is old, but I just fought this battle, I ended up creating a reverse proxy from the intermediate my workstation:

ssh -NTC -i ~/.ssh/my_id_rsa -R 54321:localhost: me@workstation

I then set up my intermediate .ssh/config to get to the server and a farther away server (everything below except the intermediate).

I then set up my workstation .ssh/config with the same jumps (even though those connections aren't directly accessible from the workstation) and an additional config to get from my workstation to the intermediate.

Host intermediate
  Hostname 127.0.0.1
  Port 54321
  User me
  IdentitiesOnly yes
  IdentityFile ~/.ssh/my_id_rsa

Host server
  Hostname server
  User me
  IdentitiesOnly yes
  IdentityFile ~/.ssh/my_id_rsa
  ProxyCommand ssh intermediate -W %h:%p


Host farfaraway
  Hostname farfaraway.local
  User me
  IdentitiesOnly yes
  IdentityFile ~/.ssh/my_id_rsa
  ProxyCommand ssh server -W %h:%p

Even though my workstation can't directly see or get to server or farfaraway, it determines its route using these and pushes them through the tunnel to the intermediate (which does use them). Now (as long as my_id_rsa.pub) is in the authorized_keys file on all machines, I can just ssh to any of them with: ssh <destination>

Jess
  • 107