ssh tunneling braindump


I have needed at various times to setup a server to tunnel an Internet facing machine to an internal machine using ssh. The actual command had always challenged me and each time I look it up, I don’t find what I really needed.

So this time, for the purposes of documenting what I did, here’s the command I used:

ssh -L 10.1.10.10:10000:10.9.9.1:22 -l sshuser -N 10.9.9.1

The -L is to say that it is local, the 10.1.10.10 is the eth0 on the Internet facing machine with the 10000 the port ssh will listen to. The incoming ssh request will then be routed to 10.9.9.1 on the inside to the standard port 22. the -l sshuser is a user on the 10.9.9.1 machine who has to be logged in. The logging in will require a password, but if the shared rsa keys are set up between the 10.1.10.10 machine and 10.9.9.1 for the user ID sshuser, then no password is needed.

To generate the rsa keys, on 10.1.10.10, run as user sshuser, ssh-keygen. Do bother with a pass phrase. The resultant file is called id_rsa.pub, found in sshuser’s .ssh directory on 10.1.10.10, is to be transferred to 10.9.9.1’s sshuser’s .ssh directory and named as authorized_keys. Appended to that authorized_keys file if needed. Ensure that the authorized_keys file has a 0600 permission on it.

That should do it. There, documented for all.

3 thoughts on “ssh tunneling braindump

  1. passphrase.
    If you control, as you’re the only root user, the machine where the private key is located then you can probably don’t use a passphrase. However if you’re not root, or have any reason to suspect that the machine can be compromised please use a pass phrase, you can use ssh-add with an ssh-agent (all distros start one by default) and only have to type it once. You can even use the same password as the user and use some pam magic to save even this one time.

  2. Thanks for the suggestion and point noted. This set up is meant for incoming SSH requests and each of those requests have to log in on their own accord. The tunneling is to keep the channel up.

  3. alternative settings
    You can try using it without the proxy. Most sites works, but everything under nfshost.com is inaccessible and there may be other affected sites as well. Seems to be a common problem with the local ISPs.
    You can also try shvpncust. No proxy needed. Seems to work with all sites.
    I didn’t test this with a prepaid card, so YMMV.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s