Jumping through SSH gateways to internal hosts
From BNL Physics Computing
Contents |
There are several ways to setup your local account to enable you to automatically jump through an SSH gateway and connect to an internal system. All require ssh-agent to be properly setup.
See this topic. In the examples below
- gateway
- is the SSH gateway,
- home
- is your computer outside of BNL and
- internal
- is the computer inside BNL that you want to access.
Hop-skip
First check that the following do not require a password nor passphrase:
user@home> ssh gateway user@gateway> ssh internal
If that fails you might find help in the topic on Trouble shooting problems with SSH. If those tests succeed then try the two in one go:
user@home>ssh -t gateway ssh internal
If you needed to add in "-A"s to pass the above tests, also include them here. The "-t" is necessary to force allocation of a pseudo TTY. If one is going to run a command instead of an interactive session, it is not needed.
To simplify this you can create the following script on the "home" system:
user@home> cat ssh-internal.sh #!/bin/sh ssh -t gateway ssh internal $@
If you needed "-A" above, also add it here.
Netcat
Instead of using two SSH invocations as described in above, one can use SSH + Netcat. This method was contributed by Scott Coburn who pointed to [http://www.hackinglinuxexposed.com/articles/20040830.html this page] as his inspiration. Note, this method also lets you mount your internal disks to your home machine through fuse and sshfs.
This method benifits from being more transparent and efficient than the "hop skip" method but does require more setup on the client side. The basic configuration requires a small script and some ~/.ssh/config lines. All what follows is excerpted from the above article by Brian Hatch. This script, netcat-proxy-command, is needed on the home computer.
#!/bin/sh gateway=$1 internal=$2 ssh $gateway nc -w 1 $internal 22
Then add the following to your ~/.ssh/config file on home:
Host internal Hostname internal HostKeyAlias internal ProxyCommand /path/to/netcat-proxy-command gateway %h
Then just ssh or scp to "internal" as if the gateway wasn't involved.
Tunnel
With a persistent ssh tunnel and some simple client side configuration you can reach popular internal systems through the gateway as if they were external themselves. You will need to repeat these steps for each internal system you want to reach and in particular choose a unique local port for each (2222 in this example).
- Configure the client
- Add this configuration stanza to your ~/.ssh/config file:
Host internal HostName localhost Port 2222 HostKeyAlias internal
This tells your ssh client that when it is told to connect to host "internal" instead connect to "localhost" port 2222 and use "internal" when checking the known_hosts file.
- Start the tunnel
- This connects local port 2222 to "internal" system's port normal SSH port (22) through the "gateway".
user@home> ssh -fN -l user -L 2222:internal:22 gateway
The options "-fN" backgrounds the ssh instance and tells it to not start a remote shell, respectively. If your system is properly setup, because "localhost" is used for the home side of the tunnel, it should not be visible to other hosts on your home network. If you wish to give access to other hosts, use the hostname of your system.
- Use it
- You should now be able to make multiple connections "directly" to the
host internal without noticing gateway.
user@home> ssh internal ...internal's banner... user@internal> echo 'cool!' cool!
