0

I am trying to configure a machine, B, as a proxy which means that incoming ssh connections get silently redirected to another host, for example C. As the guy who initiates the connection all I have is the IP address of B, nothing else, the redirection to C should automatically be handled, so that I just end up at machine C without even noticing the hop in between.

A ---> B ---> C

A few things to note:

  • Host B and C are in the same network.
  • There can be multiple endpoint hosts aside from C. Imagine D, E, F .. etc
  • In a later stage I need to implement a forwarding logic, aka the endpoint C can change depending on who initiates the connection. So be should be able to decide where the connection should be forwarded to, depending on who initiated the connection. For example if Person X connects to B he might get forwarded to C while Person Y gets redirected to D when connecting to B.
  • All machines run Linux

I know about the basics with local and remote portforwarding with SSH, however I am not sure if thats the right approach. I was thinking of some service who waits for incoming SSH connection, checks where they come from and then performs the redirect to the endpoint. How do I do that? What tools to use? Just normal ssh? Can someone provide me a basic example for my scenario?

Improve this question
1
  • Similar question regarding SFTP is here. I think you can adapt the answer to your needs.
    – Kamil Maciorowski
    Commented May 19, 2019 at 15:04

1 Answer 1

Reset to default
0

One could use the program called socat. you would need to turn off the service that manages the secure port(s) on the cYour manager admin's admin should be notified computers affected.

A simple coding could be: Say we use port 9201 for this example and computer C is IP 10.11.12.13: (this only allows one connection though).

On Computer B socat tcp-listen:9201,fork,reuseaddr tcp-connect:10.11.12.13:9201

on Computer C socat OPENSSL-LISTEN:9201,fork,reuseaddr

Computer C should be started first. Computer B is simply passing the connection to Computer C which is the log in server.

This allows for two way communication from A through B to C, and should stay active.

Firewall config may need to be modified, as well as antivirus software config as needed.

Socat has too many variables how to launch it to mention here.

Super user shouldn't be the one for whom this program runs under, in my most humble opinion. Caution should always be used because this could open security hole through the firewall that the management team should sign off on...

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .