Chaining SSH tunnels? - SSH

This is a discussion on Chaining SSH tunnels? - SSH ; Let's say I am on a machine called 'local', which is able to connect to 'middle1'. On 'middle1', I can connect to 'middle2' and from 'middle2' I can read my destination machine, 'dest'. I would like to establish a secure ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Chaining SSH tunnels?

  1. Chaining SSH tunnels?

    Let's say I am on a machine called 'local', which is able to connect
    to 'middle1'. On 'middle1', I can connect to 'middle2' and from
    'middle2' I can read my destination machine, 'dest'. I would like to
    establish a secure connection between 'local' and 'dest' such that
    there is no unencrypted traffic anywhere in between. Is this possible
    by chaining tunnels?

    This is what I tried to use:
    local$ ssh -L 2222:middle2:22 middle1
    local$ ssh -L 4444:dest:22 localhost -p 2222
    local$ ssh localhost -p 4444

    This first sets up a secure connection between local:2222 and
    middle1, with a port forwarding to middle2's ssh port. Next, the
    ssh connection attempt to localhost:2222 is forwarded to middle2:22
    so that I can log into there. A new tunnel is now created that
    connects localhost:4444 to dest:22.

    Finally, I connect to localhost:4444 and am connected to dest at port 22.
    As far as dest can tell, I am connecting from middle2 because
    that is where the tunnel comes from.

    It does seem rather overkill, since there are now three levels
    of encryption between local and middle1. Is there a better way?

    Arnoud

    --
    Arnoud Engelfriet, Dutch & European patent attorney - Speaking only for myself
    Patents, copyright and IPR explained for techies: http://www.iusmentis.com/

  2. Re: Chaining SSH tunnels?

    On 2005-10-30, Arnoud "Galactus" Engelfriet wrote:
    > Let's say I am on a machine called 'local', which is able to connect
    > to 'middle1'. On 'middle1', I can connect to 'middle2' and from
    > 'middle2' I can read my destination machine, 'dest'. I would like to
    > establish a secure connection between 'local' and 'dest' such that
    > there is no unencrypted traffic anywhere in between. Is this possible
    > by chaining tunnels?
    >
    > This is what I tried to use:
    > local$ ssh -L 2222:middle2:22 middle1
    > local$ ssh -L 4444:dest:22 localhost -p 2222
    > local$ ssh localhost -p 4444

    [...]
    > It does seem rather overkill, since there are now three levels
    > of encryption between local and middle1. Is there a better way?


    I prefer "stacking" connections rather than chaining them. If you have
    netcat or similar on the middle machines, then in the client's
    ~/.ssh/config you put something like this:

    Host middle2
    ProxyCommand ssh middle1 nc %h %p

    Host dest
    ProxyCommand ssh middle2 nc %h %p

    This still multiple-encrypts, but the connection is secured end to end
    and you don't have to manage listening port numbers The pros and cons
    of both approaches have been discussed here several times before, check
    the group archives.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread