SSH Tunnels¶
Reverse Jump Host¶
Not sure exactly what to call this, but this lets you have a bunch of remote servers that you can't forward ports into, yet still have them be available over your jump host.
I no longer use this solution, but used it a lot in 2016-2020 at work.
I'll use my domain in the examples to keep it simple.
For your own safety, please use at least OpenSSH 7.8p1, on all your servers (well... use the newest stable you can!)
Jump server¶
This will be the server all your remote servers connect to, and exposes their SSH on a port on this server.
Due to the security of this subject, you need to be sure you know what you're doing. This could poke holes where holes are not supposed to be.
We'll make an limited user, by not allowing it to login:
Then we'll give users connected to SSHd to open ports, open for internet/lan, in /etc/ssh/sshd_config:
GatewayPorts yes # STOP!!! This could be a HUGE security issue
# If you're using outdated software, weak passwords
# and it's in general a stupid thing to do..
# If you're forwarding something that's behind a NAT/firewall,
# it's probably there for a reason. Unless you purposely made it this way.
# This is not required
We'll add the SSH client keys, of the remote users into /home/tunnel/.ssh/authorized_keys:
permitlisten="5001,5002",command="/sbin/nologin",restrict,port-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2..
from="2001:db8::/64",permitlisten="5003,5004",command="/sbin/nologin",restrict,port-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc3..
from field.
Remote servers/targets¶
They don't have to be servers, as we're only using the SSH client on these. But for the sake of naming things we'll keep this simple.
We need to generate a strong SSH private key, so we can put the public key onto our jump host:
ssh-keygen -t rsa -b 4096 -C "jumpremote1"
ssh-keygen -t rsa -b 4096 -C "jumpremote1" -f /config/.ssh/id_rsa_tunnel2
Then we'll use this command, to initiate the tunnel:
ssh -f -n -N -C -R 5001:127.0.0.1:22 [email protected]
ssh -f -n -N -C -R 5001:127.0.0.1:22 -i /config/.ssh/id_rsa_tunnel2 [email protected]
Clients¶
If you changed GatewayPorts in sshd_config, when you SSH to tunnelserver.mths.io:5001 it translates to target:22, through the jump host. If you didn't, you'll need to use the jump server as a jump host.
For example, I can easily make a SOCKS proxy this way. This allows me to easily access web management pages in my browser, on the remote network.
ssh -D 5555 -C [email protected]:5001 #C for compress
ssh -J [email protected] -D 5555 -C [email protected]:5001 #C for compress, J for jump host
Regular tunnels¶
In case you need a SOCKS proxy, so your data comes out of your SSH server, you can connect to it this way:
If you have something hosted on the server, that only listens on localhost:1234, you can make it available on your localhost with:
You can also do it the other way, make your localhost:1234 from your client machine, be available for others to connect to on the remote SSH server with:
If you need to tunnel a port where the service is available on another interface or another server within the network of your SSH server, you can specify the actual host instead of localhost: