Initiate SSH session from other side? - SSH

This is a discussion on Initiate SSH session from other side? - SSH ; Is it possible to somehow trigger an SSH session from inside a network, so that I can use an SSH session from outside the network into the network? For example by having a program (crontab) or something initiating the SSH ...

+ Reply to Thread
Results 1 to 16 of 16

Thread: Initiate SSH session from other side?

  1. Initiate SSH session from other side?


    Is it possible to somehow trigger an SSH session from inside a network,
    so that I can use an SSH session from outside the network into the
    network? For example by having a program (crontab) or something
    initiating the SSH session from inside the network to a specific
    IP-address and port number? The problem is that it is not possible to
    directly ssh into the network from outside the network.

    BR!


  2. Re: Initiate SSH session from other side?

    "dspfun" writes:
    > Is it possible to somehow trigger an SSH session from inside a network,
    > so that I can use an SSH session from outside the network into the
    > network? For example by having a program (crontab) or something
    > initiating the SSH session from inside the network to a specific
    > IP-address and port number? The problem is that it is not possible to
    > directly ssh into the network from outside the network.


    I believe you could setup an ssh session from inside to outside
    machine. As part of that session, try including port forwarding, of
    say port 6666 of the outside box to the inside box port 22. See the
    man page for ssh and look at the -R option.

    insidebox$ ssh -R6666:127.0.0.1:22 outsideusername@outsidebox.ip.addy

    This will forward all traffic hitting outsidebox port 6666 to port 22
    of the insidebox.

    Then, if you have an ssh server setup on the inside box,

    outsidebox$ ssh -p 6666 insideboxusername@127.0.0.1

    I think would get you where you want to go.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  3. Re: Initiate SSH session from other side?

    > "dspfun" writes:
    > > Is it possible to somehow trigger an SSH session from inside a network,
    > > so that I can use an SSH session from outside the network into the
    > > network? For example by having a program (crontab) or something
    > > initiating the SSH session from inside the network to a specific
    > > IP-address and port number? The problem is that it is not possible to
    > > directly ssh into the network from outside the network.

    >
    > I believe you could setup an ssh session from inside to outside
    > machine. As part of that session, try including port forwarding, of
    > say port 6666 of the outside box to the inside box port 22. See the
    > man page for ssh and look at the -R option.
    >
    > insidebox$ ssh -R6666:127.0.0.1:22 outsideusername@outsidebox.ip.addy
    >
    > This will forward all traffic hitting outsidebox port 6666 to port 22
    > of the insidebox.
    >
    > Then, if you have an ssh server setup on the inside box,
    >
    > outsidebox$ ssh -p 6666 insideboxusername@127.0.0.1
    >
    > I think would get you where you want to go.


    Yup, all correct. The only remaining problem is what to do when the ssh
    connection goes down, as they often do. You want the client to reestablish
    the connection automatically. The tool for that is autossh:
    http://www.harding.motd.ca/autossh/ . autossh starts an ssh session, then
    periodically sends data through a loop of port forwardings over the ssh
    tunnel. If the data doesn't come back, it concludes that the session is
    dead, kills it, and starts a new one.

    I have autossh installed as a service under Cygwin. It starts at boot, and
    sets up port forwardings, both from inside to out (-L) and from outside to
    in (-R). Now that it's set up I don't have to think about it at all; the
    port forwardings are just there, all the time. I'm using one right now to
    read and reply to your message.

    Of course a setup of that kind requires an unattended login on the server.
    Unattended logins bring risks, but the risks can be minimized. The snail
    book chapter 11 talks about it.

    Good luck,
    Andrew.

    --
    To reply by email, change "deadspam.com" to "alumni.utexas.net"

  4. Re: Initiate SSH session from other side?

    dspfun a écrit :
    > Is it possible to somehow trigger an SSH session from inside a network,
    > so that I can use an SSH session from outside the network into the
    > network? For example by having a program (crontab) or something
    > initiating the SSH session from inside the network to a specific
    > IP-address and port number? The problem is that it is not possible to
    > directly ssh into the network from outside the network.
    >
    > BR!
    >


    I did that from my winXP client at work to my linux openssh server at
    home. If I want to use VNC to work on my work desktop, I send a mail
    containing some keywords. Then I created a rule in Outlook that run if
    the mail contains these keywords. This rule start a script that open an
    ssh connection to my home system automatically thanks to keys
    authentication and ssh agent.
    This is not very secure because the keywords are send in plain text,
    however someone stealing these keywords could only start an ssh tunnel
    between my work computer and my home computer.

    Thierry B.

  5. Re: Initiate SSH session from other side?


    Thank you for your answers!

    Wouldn't it be enough to have autossh running on the inside (work)
    computer? Then I can ssh from my outside (home) computer to the inside
    computer at anytime with the command suggested by Todd:

    insidebox$ ssh -R6666:127.0.0.1:22 outsideusername@outsidebox.ip.addy


    What commands are you using on with autossh to set up port forwardings
    and whatever else that is needed?

    BR!


  6. Re: Initiate SSH session from other side?

    "dspfun" writes:

    > Thank you for your answers!
    >
    > Wouldn't it be enough to have autossh running on the inside (work)
    > computer? Then I can ssh from my outside (home) computer to the inside
    > computer at anytime with the command suggested by Todd:
    >
    > insidebox$ ssh -R6666:127.0.0.1:22
    > outsideusername@outsidebox.ip.addy


    No.

    I'm not familiar with autossh, but I think autossh would have to
    replace that command above -- or implement i/maintain it.

    Once that tunnel (set up by the command above, and optionally
    maintained by autossh) is set up, then to connect to the work computer
    from home, the command line is
    homebox$ ssh -p 6666 workusername@127.0.0.1


    The tunnel maintained by autossh, originating from the work computer
    is the one that makes a reverse listener open port 6666 of your home
    computer that magically connects back to port 22 of your work
    computer.

    Reread the papers you signed with your employer before you do this
    though. I know where I work, to poke a little hole in their firewall
    like without their consent would be grounds for termination
    potentially because it gives you potentially virus and malware
    infested home computer a clear shot to an ssh server on their
    protected network.


    --
    Todd H.
    http://www.toddh.net/

  7. Re: Initiate SSH session from other side?


    Ok, thank you! This means that it is enough to have autossh running on
    the inside (work) computer since one can manually enter the command :
    homebox$ ssh -p 6666 workusername@127.0.0.1
    from home?

    The use of having autossh running on the home computer would be to save
    the work of entering the command
    homebox$ ssh -p 6666 workusername@127.0.0.1
    manually?


  8. Re: Initiate SSH session from other side?

    > Ok, thank you! This means that it is enough to have autossh running on
    > the inside (work) computer since one can manually enter the command :
    > homebox$ ssh -p 6666 workusername@127.0.0.1
    > from home?
    >
    > The use of having autossh running on the home computer would be to save
    > the work of entering the command
    > homebox$ ssh -p 6666 workusername@127.0.0.1
    > manually?


    Right.

    --
    To reply by email, change "deadspam.com" to "alumni.utexas.net"

  9. Re: Initiate SSH session from other side?

    > Reread the papers you signed with your employer before you do this
    > though. I know where I work, to poke a little hole in their firewall
    > like without their consent would be grounds for termination
    > potentially because it gives you potentially virus and malware
    > infested home computer a clear shot to an ssh server on their
    > protected network.


    Yeah, I would echo this. If someone breaks into your home host and finds
    their way from there through your tunnel inside your company's perimeter,
    you can kiss your job goodbye.

    --
    To reply by email, change "deadspam.com" to "alumni.utexas.net"

  10. Re: Initiate SSH session from other side?

    comphelp@toddh.net (Todd H.) writes:

    > The tunnel maintained by autossh, originating from the work computer
    > is the one that makes a reverse listener open port 6666 of your home
    > computer that magically connects back to port 22 of your work
    > computer.
    >
    > Reread the papers you signed with your employer before you do this
    > though. I know where I work, to poke a little hole in their firewall
    > like without their consent would be grounds for termination
    > potentially because it gives you potentially virus and malware
    > infested home computer a clear shot to an ssh server on their
    > protected network.


    Hi Todd et al.,

    Being really green on linux and especially so on ssh, I'm trying to
    learn something here and failing miserably.

    1. If the work and home computers are separated by a company firewall,
    then who/what in the firewall computer is going to forward packets
    across port 6666?

    2. Assuming 127.0.0.1 is a placeholder for the address of the inside
    computer on the internal network, how does

    outsidebox$ ssh -p 6666 insideboxusername@127.0.0.1

    provide an address to the firewall on the external network?

    Alternately, if 127.0.0.1 is a placeholder for the external address of
    the firewall, then how does insideboxusername@127.0.0.1 address the
    internal work computer?
    --
    % Randy Yates % "Maybe one day I'll feel her cold embrace,
    %% Fuquay-Varina, NC % and kiss her interface,
    %%% 919-577-9882 % til then, I'll leave her alone."
    %%%% % 'Yours Truly, 2095', *Time*, ELO
    http://home.earthlink.net/~yatescr

  11. Re: Initiate SSH session from other side?

    comphelp@toddh.net (Todd H.) writes:

    > Reread the papers you signed with your employer before you do this
    > though. I know where I work, to poke a little hole in their firewall
    > like without their consent would be grounds for termination
    > potentially because it gives you potentially virus and malware
    > infested home computer a clear shot to an ssh server on their
    > protected network.


    I forgot to add this questtion: What's the difference between
    doing something like this and VPN'ing in? In both cases the
    internal network is going to be exposed to home computers'
    viri etc., right?
    --
    % Randy Yates % "Though you ride on the wheels of tomorrow,
    %% Fuquay-Varina, NC % you still wander the fields of your
    %%% 919-577-9882 % sorrow."
    %%%% % '21st Century Man', *Time*, ELO
    http://home.earthlink.net/~yatescr

  12. Re: Initiate SSH session from other side?

    > > Reread the papers you signed with your employer before you do this
    > > though. I know where I work, to poke a little hole in their firewall
    > > like without their consent would be grounds for termination
    > > potentially because it gives you potentially virus and malware
    > > infested home computer a clear shot to an ssh server on their
    > > protected network.

    >
    > I forgot to add this questtion: What's the difference between
    > doing something like this and VPN'ing in? In both cases the
    > internal network is going to be exposed to home computers'
    > viri etc., right?


    Right, but a VPN is typically run by the company, so if something goes
    wrong you have someone to share the blame with. Not to mention, that ssh
    tunnelling through the firewall is almost certainly against the company's
    IT policies.

    --
    To reply by email, change "deadspam.com" to "alumni.utexas.net"

  13. Re: Initiate SSH session from other side?

    > 1. If the work and home computers are separated by a company firewall,
    > then who/what in the firewall computer is going to forward packets
    > across port 6666?


    You do have to be able to establish an ssh connection from inside to
    outside. There's no getting around that. What it allows you to get around
    is having to establish a connection from outside to inside.

    > 2. Assuming 127.0.0.1 is a placeholder for the address of the inside
    > computer on the internal network, how does
    >
    > outsidebox$ ssh -p 6666 insideboxusername@127.0.0.1
    >
    > provide an address to the firewall on the external network?


    Not to the firewall: to the inside box. That's because insidebox has set
    up a port forwarding from outsidebox:6666 to insidebox:22. So on
    outsidebox, connections to 127.0.0.1:6666 are forwarded transparently to
    insidebox:22.

    --
    To reply by email, change "deadspam.com" to "alumni.utexas.net"

  14. Re: Initiate SSH session from other side?

    "dspfun" writes:

    > Ok, thank you! This means that it is enough to have autossh running on
    > the inside (work) computer since one can manually enter the command :
    > homebox$ ssh -p 6666 workusername@127.0.0.1
    > from home?


    Yeah.

    > The use of having autossh running on the home computer would be to save
    > the work of entering the command
    > homebox$ ssh -p 6666 workusername@127.0.0.1
    > manually?


    No. The use of autossh on the work computer would handle the "what
    if" of if the ssh session got dropped due to an intermittent
    connection over the remote link, then the ssh session would get
    reestablished from teh work computer to home computer (and its
    corresponding reverse home->work port forwarding). This would
    eliminate the need to run ssh in a crontab on the work computer.


    --
    Todd H.
    http://www.toddh.net/

  15. Re: Initiate SSH session from other side?

    Randy Yates writes:

    > comphelp@toddh.net (Todd H.) writes:
    >
    > > The tunnel maintained by autossh, originating from the work computer
    > > is the one that makes a reverse listener open port 6666 of your home
    > > computer that magically connects back to port 22 of your work
    > > computer.
    > >
    > > Reread the papers you signed with your employer before you do this
    > > though. I know where I work, to poke a little hole in their firewall
    > > like without their consent would be grounds for termination
    > > potentially because it gives you potentially virus and malware
    > > infested home computer a clear shot to an ssh server on their
    > > protected network.

    >
    > Hi Todd et al.,
    >
    > Being really green on linux and especially so on ssh, I'm trying to
    > learn something here and failing miserably.
    >
    > 1. If the work and home computers are separated by a company firewall,
    > then who/what in the firewall computer is going to forward packets
    > across port 6666?


    Hi Randy,

    this stuff will bend your brain the first time you see it and it took
    years and seeing TCP/IP explained to me in several different ways for
    me to really "get" what was going on here.

    From the firewall perspective, all it sees is a tcp session that was
    started from an inside box to an outside box on port 22 with protocol
    ssh.

    The magic of homecomputer:6666 getting forwarded to workcomputer:22
    all happens inside that above mentioned tcp session by virtue of ssh's
    reverse port forwarding fucntionality. reverse in that The ssh client
    on the work computer initiated a session to the homecomputer's server,
    and set up a port forward in the opposite direction (from the ssh
    server (homecomputer) port 6666 back to a port on the ssh client
    computer).

    THe sshd process running on homecomputer opens a listener on port 6666
    and takes any packets it gets on it and copies them to
    port 22 on the workcomputer end of things. Note, tha because 22 is a
    privileged port, the ssh session from workcomputer to hom will have
    to be initiated as the root user.

    > 2. Assuming 127.0.0.1 is a placeholder for the address of the inside
    > computer on the internal network, how does


    It's not. It's the the address of localhost. The trick though is
    figuring out "which localhost we talkin about?"

    > outsidebox$ ssh -p 6666 insideboxusername@127.0.0.1
    > provide an address to the firewall on the external network?


    This command run on the home computer is initiating a 2nd ssh session,
    from home computer back to the work computer (so you can type commands
    on the work computer), and it's getting tot he work computer via the
    magic tunnel we set up that is listening on port 6666 of the home
    computer/outsidebox. Remember it magically connects
    outsidebox:6666 -> insidebox:22 where another sshd is listening for connections.

    So we're essentially sshing to ourselves on the home computer, but by
    virtue of the reverse tunnel established in the previous step, that
    homecomputer:6666 port is forwarded to workcomputer:22.

    Read the man page on -R about 100 times and draw pictures, and
    eventually the light will go on. It's confusing.

    > Alternately, if 127.0.0.1 is a placeholder for the external address of
    > the firewall, then how does insideboxusername@127.0.0.1 address the
    > internal work computer?


    No. 127.0.0.1 is defined as the IP address of localhost/the machine
    yer on. This is a key concept to getting what's goin on here.




    --
    Todd H.
    http://www.toddh.net/

  16. Re: Initiate SSH session from other side?

    Randy Yates writes:

    > comphelp@toddh.net (Todd H.) writes:
    >
    > > Reread the papers you signed with your employer before you do this
    > > though. I know where I work, to poke a little hole in their firewall
    > > like without their consent would be grounds for termination
    > > potentially because it gives you potentially virus and malware
    > > infested home computer a clear shot to an ssh server on their
    > > protected network.

    >
    > I forgot to add this questtion: What's the difference between
    > doing something like this and VPN'ing in? In both cases the
    > internal network is going to be exposed to home computers'
    > viri etc., right?



    VPN would require the company's firewall to allow the VPN
    traffic/protocol in and would require a VPN server to be listening.

    In this case, we're using ssh port forwarding to work around what the
    company's firewall will allow (i.e. outbound only ssh connections) in
    order to achieve the access desired.

    This also underscores how crafty employees armed with outbound ssh can
    potentially compromise your network security, and hence the importance
    of having employees bound to a security policy and told not to do such
    things if you want to mitigate that risk. Of course, they still will
    statistically, but at least if they're under a signed agreement, and
    they do something dumb that costs the company thousands in a
    breach/malware event, they can at least summarily can the person
    responsible. :-)

    --
    Todd H.
    http://www.toddh.net/

+ Reply to Thread