I would like ssh access to a protected host that is not directly accessible on the Internet but does have outbound access. This is a common scenario in corporate networks that often require a vpn for remote access; but in situations where vpn access is not available (e.g., I forgot my keyfob, or I don’t want to install vpn software) a reverse ssh tunnel to a trusted host can be used instead.<\/p>\n
Basically, a reverse ssh tunnel is setup by the private host (i.e., any host that’s not directly accessible from the Internet). The private host connects to a trusted host (that is accessible on the Internet).<\/p>\n
A reverse ssh tunnel is usually started with something like,<\/p>\n
\r\n$ ssh -R 12354:localhost:22 user@example.com\r\n<\/pre>\nThis will create a tunnel from example.com to the private host. In other words, you would simply login to example.com and issue the following command, <\/p>\n
\r\n$ ssh user@localhost -p 12345\r\n<\/pre>\nAnd you would now be logged into the private host.<\/p>\n
The only problem is that you must establish the reverse tunnel from the private host. In order to keep this tunnel alive (without you physically being able to login to the private host), you can use a periodic cron, e.g.,<\/p>\n
\r\n#!\/bin\/bash\r\n#\r\n# e.g., crontab every 5 minutes\r\n# *\/5 * * * * ~\/.ssh\/reverse_tunnel >\/dev\/null 2>&1\r\n#\r\n# -OR-\r\n# *\/5 * * * * ~\/.ssh\/reverse_tunnel hostname port >\/dev\/null 2>&1\r\n\r\n## set defaults\r\nREMOTE_HOST=user@hostname\r\nREMOTE_PORT=12345\r\n\r\nSSH_KEY=\/path\/to\/your\/private.key\r\n\r\nif [ $# == 2 ]; then\r\n REMOTE_HOST=$1\r\n REMOTE_PORT=$2\r\nfi\r\n\r\n## reverse tunnel command\r\nREVERSE_TUNNEL=\"ssh -i $SSH_KEY -q -N -R $REMOTE_PORT:localhost:22 $REMOTE_HOST\"\r\n\r\n## start tunnel if not already running\r\npgrep -f -x \"$REVERSE_TUNNEL\" > \/dev\/null 2>&1 || $REVERSE_TUNNEL\r\n\r\n## test tunnel by executing a command on the remote host\r\nssh -i $SSH_KEY $REMOTE_HOST netstat -an | egrep \"tcp.*:$REMOTE_PORT.*LISTEN\" > \/dev\/null 2>&1\r\nif [ $? -ne 0 ] ; then\r\n pkill -f -x \"$REVERSE_TUNNEL\"\r\n $REVERSE_TUNNEL\r\nfi\r\n<\/pre>\nThis will maintain a tunnel on the public host to the private host. Now you can easily login to the private host anywhere that has access to the public host.<\/p>\n","protected":false},"excerpt":{"rendered":"
I would like ssh access to a protected host that is not directly accessible on the Internet but does have outbound access. This is a common scenario in corporate networks that often require a vpn for remote access; but in situations where vpn access is not available (e.g., I forgot my keyfob, or I don’t […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[14,5],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/posts\/557"}],"collection":[{"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/comments?post=557"}],"version-history":[{"count":2,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/posts\/557\/revisions"}],"predecessor-version":[{"id":704,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/posts\/557\/revisions\/704"}],"wp:attachment":[{"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/media?parent=557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/categories?post=557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/tags?post=557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}