8

I’m trying to set up multiple client PCs that are behind a firewall with dynamic IP addresses to have an SSH connection available for another PC.

My theory is to set up a server with a publicly accessible and static IP that would act as the SSH server. Clients initiate reverse SSH connections. When a connection is required from another (conroller) client, the client connects to a server, and the server patches/tunnels that connection to the desired remote client.

How is this possible to achieve? Is there a term for this? Is there another solution for this problem?

edit: added diagram

I hope this clears it up. I've also found this article that discusses this a bit more, but not with multiple clients. http://toic.org/blog/2009/reverse-ssh-port-forwarding/

enter image description here

Improve this question
7
  • I am having trouble following this. The clients are behind a firewall, but they can ssh out to the new server you are setting up?
    – Paul
    Commented Apr 1, 2015 at 23:02
  • 1
    the firewall (or router) is preventing inbound connection, meaning all connection needs to be outbound
    – Daniel
    Commented Apr 2, 2015 at 0:03
  • If they can all make outbound connections, what is stopping them connecting directly to the target server? Could you have a go at editing your question to make it clearer? There are multiple clients on different networks perhaps?
    – Paul
    Commented Apr 2, 2015 at 0:07
  • Sorry, but the term reverse SSH make no sense. SSH uses client\server architecture, it sounds like you are wanting to reverse those roles. If you did that it wouldn't be called reverse SSH; you'd simply be swapping the client and the server roles of each computer (IOW, you'd be installing the server software on a client [servers generally always have the client installed already]). This is one of those questions that I'd rather answer the question you should've asked instead of the question you did ask.
    – krowe
    Commented Apr 2, 2015 at 0:18
  • I've added a diagram that hopefully clears it up a little
    – Daniel
    Commented Apr 2, 2015 at 15:01

1 Answer 1

Reset to default
5

I don't think there is an easy way to do this on a mass scale. And you don't really mention the scope of these ssh connections. Terminal only? Might make things a bit easier.

Run ssh -NR 2210:localhost:22 [email protected] as someuser on the machine behind the firewall. I'm assuming 2210 is available on the intermediary machine; if it's not, pick another port. Each machine you want to access behind the firewall will need its own port.

Your Internet user connecting to the intermediary needs ssh access on the intermediary. To get behind the firewall just do ssh -t [email protected] "ssh someuser@localhost -p 2210" to get terminal access. You'll need to do the same thing on a different port for every server.

You can daemonize that first part so it happens on boot. I don't know the best way to, say, make it easy to manage two sets of logins, passwords, etc.. You can create passwordless logins based on ssh keys, but that will take time to set up and will need to be done for every user.

If terminal only works for you...

I created a little perl script to act as a login shell wrapper for a user called sshcatcher. I saved it to /usr/local/remote.pl:

#!/bin/perl

print "Please enter your username to access the firewalled server: ";
$user = <>;

chomp($user);

system("ssh", "$user\@localhost -p 2210");

With something like that, maybe you can chance allowing an account with an empty password on the intermediary to automate the process a little.

The vipw entry looks like: sshcatcher:x:2000:2000::/home/sshcatcher:/usr/local/remote.pl

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .