How to ssh forwarding with AllowTcpForwarding set to no?
There is some development I need to do on some remote box. Fortunately, I have shell access, but I need to go through a gateway that has AllowTcpForwarding set to false.
I took a peak at the docs and it says:
AllowTcpForwarding Specifies whether TCP forwarding is permitted. The
default is ''yes''. Note that disabling TCP forwarding does not
improve security unless users are also denied shell access, as they
can always install their own forwarders.
How would I go about installing (or building) my own forwarder? My goal here is to setup a remote interpreter using Pycharm via SSH and binding it to some local port, that data fed through ssh, that through the gateway, and then to the development box where the code is actually run. I imagine I could somehow utilize nc or some other unix utility that'll help get the job done.
I know I can ssh to my remote box by doing:
ssh -t user1@gateway ssh user2@devbox
But obviously this option isn't available in pycharm. I'll have to be able to open some local port such that
ssh -p 12345 localhost
(or variant)
will connect me to user2@devbox. This will allow me to configure the remote interpreter to use port 12345 on localhost to connect to the remote box.
linux shell ssh python ssh-tunneling
asked Nov 24 '17 at 1:38
TLaneTLane
1112
add a comment |
There is some development I need to do on some remote box. Fortunately, I have shell access, but I need to go through a gateway that has AllowTcpForwarding set to false.
I took a peak at the docs and it says:
AllowTcpForwarding Specifies whether TCP forwarding is permitted. The
default is ''yes''. Note that disabling TCP forwarding does not
improve security unless users are also denied shell access, as they
can always install their own forwarders.
How would I go about installing (or building) my own forwarder? My goal here is to setup a remote interpreter using Pycharm via SSH and binding it to some local port, that data fed through ssh, that through the gateway, and then to the development box where the code is actually run. I imagine I could somehow utilize nc or some other unix utility that'll help get the job done.
I know I can ssh to my remote box by doing:
ssh -t user1@gateway ssh user2@devbox
But obviously this option isn't available in pycharm. I'll have to be able to open some local port such that
ssh -p 12345 localhost
(or variant)
will connect me to user2@devbox. This will allow me to configure the remote interpreter to use port 12345 on localhost to connect to the remote box.
linux shell ssh python ssh-tunneling
asked Nov 24 '17 at 1:38
TLaneTLane
1112
The gateway has AllowTcpForwarding set to false but does the remote box? if it does not why not forward to it? Oh I understand now... Since you can access the router you can probably port forward on the router. Why not do that?
– jdwolf
Nov 24 '17 at 2:41
add a comment |
There is some development I need to do on some remote box. Fortunately, I have shell access, but I need to go through a gateway that has AllowTcpForwarding set to false.
I took a peak at the docs and it says:
AllowTcpForwarding Specifies whether TCP forwarding is permitted. The
default is ''yes''. Note that disabling TCP forwarding does not
improve security unless users are also denied shell access, as they
can always install their own forwarders.
How would I go about installing (or building) my own forwarder? My goal here is to setup a remote interpreter using Pycharm via SSH and binding it to some local port, that data fed through ssh, that through the gateway, and then to the development box where the code is actually run. I imagine I could somehow utilize nc or some other unix utility that'll help get the job done.
I know I can ssh to my remote box by doing:
ssh -t user1@gateway ssh user2@devbox
But obviously this option isn't available in pycharm. I'll have to be able to open some local port such that
ssh -p 12345 localhost
(or variant)
will connect me to user2@devbox. This will allow me to configure the remote interpreter to use port 12345 on localhost to connect to the remote box.
linux shell ssh python ssh-tunneling
asked Nov 24 '17 at 1:38
TLaneTLane
1112
There is some development I need to do on some remote box. Fortunately, I have shell access, but I need to go through a gateway that has AllowTcpForwarding set to false.
I took a peak at the docs and it says:
AllowTcpForwarding Specifies whether TCP forwarding is permitted. The
default is ''yes''. Note that disabling TCP forwarding does not
improve security unless users are also denied shell access, as they
can always install their own forwarders.
How would I go about installing (or building) my own forwarder? My goal here is to setup a remote interpreter using Pycharm via SSH and binding it to some local port, that data fed through ssh, that through the gateway, and then to the development box where the code is actually run. I imagine I could somehow utilize nc or some other unix utility that'll help get the job done.
I know I can ssh to my remote box by doing:
ssh -t user1@gateway ssh user2@devbox
But obviously this option isn't available in pycharm. I'll have to be able to open some local port such that
ssh -p 12345 localhost
(or variant)
will connect me to user2@devbox. This will allow me to configure the remote interpreter to use port 12345 on localhost to connect to the remote box.
linux shell ssh python ssh-tunneling
linux shell ssh python ssh-tunneling
asked Nov 24 '17 at 1:38
TLaneTLane
1112
asked Nov 24 '17 at 1:38
TLaneTLane
1112
asked Nov 24 '17 at 1:38
TLaneTLane
1112
asked Nov 24 '17 at 1:38
TLaneTLane
1112
asked Nov 24 '17 at 1:38
TLaneTLane
1112
1112
The gateway has AllowTcpForwarding set to false but does the remote box? if it does not why not forward to it? Oh I understand now... Since you can access the router you can probably port forward on the router. Why not do that?
– jdwolf
Nov 24 '17 at 2:41
add a comment |
The gateway has AllowTcpForwarding set to false but does the remote box? if it does not why not forward to it? Oh I understand now... Since you can access the router you can probably port forward on the router. Why not do that?
– jdwolf
Nov 24 '17 at 2:41
The gateway has AllowTcpForwarding set to false but does the remote box? if it does not why not forward to it? Oh I understand now... Since you can access the router you can probably port forward on the router. Why not do that?
– jdwolf
Nov 24 '17 at 2:41
The gateway has AllowTcpForwarding set to false but does the remote box? if it does not why not forward to it? Oh I understand now... Since you can access the router you can probably port forward on the router. Why not do that?
– jdwolf
Nov 24 '17 at 2:41
add a comment |
3 Answers
3
active
oldest
votes
SSH tunneling can do done both ways. SSH into the router. SSH from the router into the devbox. Then run SSH from the devbox to make an outbound connection to your computer running an SSH server with port forwarding enabled while setting up a remote port forward back to the devbox. At that point you can close the other ssh connection.
answered Nov 24 '17 at 2:51
jdwolfjdwolf
2,675216
add a comment |
I would just set up anouther sshd to run on a different port.
Edit the settings so tcpforwarding is allowed.
cp /etc/ssh/sshd{,-second}_config
Edit sshd-second_config
Port 22220
cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sshd-second.service
Alter /etc/systemd/system/sshd-second.service in the following way:
Description=OpenSSH server second instance daemon
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS
The ExecStart line may differ, depending on the release.
systemctl daemon-reload
systemctl enable sshd-second.service --now
More information can be found here:
https://access.redhat.com/solutions/1166283
Now you should be able to forward whatever you want.
answered Nov 24 '18 at 4:43
Michael ProkopecMichael Prokopec
1,448218
add a comment |
As long as one can execute socat locally and on gateway (or even just bash and cat on gateway, see last example!) and is allowed to not use a pty to be 8bits clean, it's possible to establish a tunnel through ssh. Here are 4 examples, improving upon the previous:
Basic example working once
(having it fork would require one ssh connection per tunnel, not good). Having to escape the : for socat to accept the exec command:
term1:
$ socat tcp-listen:12345,reuseaddr exec:'ssh user1@gateway exec socat - tcp:devbox:22',nofork
term2:
$ ssh -p 12345 user2@localhost
term1:
user1@gateway's password:
term2:
user2@localhost's password:
Reversing first and second addresses makes the socket immediately available
socat has to stay in charge, so no nofork:
term1:
$ socat exec:'ssh user1@gateway exec socat - tcp:devbox:22' tcp-listen:12345,reuseaddr
user1@gateway's password:
term2:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Using a ControlMaster ssh
allows to fork while using only a single ssh connection to the gateway, thus giving a behaviour similar to the usual port forwarding:
term1:
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork exec:'ssh -o ControlPath=~/mysshcontrolsocket user1@gateway exec socat - tcp:devbox:22'
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Having only bash and cat available on gateway
By using bash's built-in tcp redirection, and two half-duplex cat commands (for a full-duplex result) one doesn't even need a remote socat or netcat. Handling of multiple layers of nested and escaped quotes was a bit awkward and can perhaps be done better, or simplified by the use of a remote bash script. Care has to be taken to have the forked cat for output only:
term1 (no change):
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork 'exec:ssh -T -o ControlPath=~/mysshcontrolsocket user1@gateway '''exec bash -c '''"exec 2>/dev/null 8<>/dev/tcp/devbox/22; cat <&8 & cat >&8"'''
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
answered Dec 31 '18 at 5:02
A.BA.B
4,7021725
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f406695%2fhow-to-ssh-forwarding-with-allowtcpforwarding-set-to-no%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
SSH tunneling can do done both ways. SSH into the router. SSH from the router into the devbox. Then run SSH from the devbox to make an outbound connection to your computer running an SSH server with port forwarding enabled while setting up a remote port forward back to the devbox. At that point you can close the other ssh connection.
answered Nov 24 '17 at 2:51
jdwolfjdwolf
2,675216
add a comment |
SSH tunneling can do done both ways. SSH into the router. SSH from the router into the devbox. Then run SSH from the devbox to make an outbound connection to your computer running an SSH server with port forwarding enabled while setting up a remote port forward back to the devbox. At that point you can close the other ssh connection.
answered Nov 24 '17 at 2:51
jdwolfjdwolf
2,675216
add a comment |
SSH tunneling can do done both ways. SSH into the router. SSH from the router into the devbox. Then run SSH from the devbox to make an outbound connection to your computer running an SSH server with port forwarding enabled while setting up a remote port forward back to the devbox. At that point you can close the other ssh connection.
answered Nov 24 '17 at 2:51
jdwolfjdwolf
2,675216
SSH tunneling can do done both ways. SSH into the router. SSH from the router into the devbox. Then run SSH from the devbox to make an outbound connection to your computer running an SSH server with port forwarding enabled while setting up a remote port forward back to the devbox. At that point you can close the other ssh connection.
answered Nov 24 '17 at 2:51
jdwolfjdwolf
2,675216
answered Nov 24 '17 at 2:51
jdwolfjdwolf
2,675216
answered Nov 24 '17 at 2:51
jdwolfjdwolf
2,675216
answered Nov 24 '17 at 2:51
jdwolfjdwolf
2,675216
2,675216
add a comment |
add a comment |
I would just set up anouther sshd to run on a different port.
Edit the settings so tcpforwarding is allowed.
cp /etc/ssh/sshd{,-second}_config
Edit sshd-second_config
Port 22220
cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sshd-second.service
Alter /etc/systemd/system/sshd-second.service in the following way:
Description=OpenSSH server second instance daemon
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS
The ExecStart line may differ, depending on the release.
systemctl daemon-reload
systemctl enable sshd-second.service --now
More information can be found here:
https://access.redhat.com/solutions/1166283
Now you should be able to forward whatever you want.
answered Nov 24 '18 at 4:43
Michael ProkopecMichael Prokopec
1,448218
add a comment |
I would just set up anouther sshd to run on a different port.
Edit the settings so tcpforwarding is allowed.
cp /etc/ssh/sshd{,-second}_config
Edit sshd-second_config
Port 22220
cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sshd-second.service
Alter /etc/systemd/system/sshd-second.service in the following way:
Description=OpenSSH server second instance daemon
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS
The ExecStart line may differ, depending on the release.
systemctl daemon-reload
systemctl enable sshd-second.service --now
More information can be found here:
https://access.redhat.com/solutions/1166283
Now you should be able to forward whatever you want.
answered Nov 24 '18 at 4:43
Michael ProkopecMichael Prokopec
1,448218
add a comment |
I would just set up anouther sshd to run on a different port.
Edit the settings so tcpforwarding is allowed.
cp /etc/ssh/sshd{,-second}_config
Edit sshd-second_config
Port 22220
cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sshd-second.service
Alter /etc/systemd/system/sshd-second.service in the following way:
Description=OpenSSH server second instance daemon
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS
The ExecStart line may differ, depending on the release.
systemctl daemon-reload
systemctl enable sshd-second.service --now
More information can be found here:
https://access.redhat.com/solutions/1166283
Now you should be able to forward whatever you want.
answered Nov 24 '18 at 4:43
Michael ProkopecMichael Prokopec
1,448218
I would just set up anouther sshd to run on a different port.
Edit the settings so tcpforwarding is allowed.
cp /etc/ssh/sshd{,-second}_config
Edit sshd-second_config
Port 22220
cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sshd-second.service
Alter /etc/systemd/system/sshd-second.service in the following way:
Description=OpenSSH server second instance daemon
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS
The ExecStart line may differ, depending on the release.
systemctl daemon-reload
systemctl enable sshd-second.service --now
More information can be found here:
https://access.redhat.com/solutions/1166283
Now you should be able to forward whatever you want.
answered Nov 24 '18 at 4:43
Michael ProkopecMichael Prokopec
1,448218
answered Nov 24 '18 at 4:43
Michael ProkopecMichael Prokopec
1,448218
answered Nov 24 '18 at 4:43
Michael ProkopecMichael Prokopec
1,448218
answered Nov 24 '18 at 4:43
Michael ProkopecMichael Prokopec
1,448218
1,448218
add a comment |
add a comment |
As long as one can execute socat locally and on gateway (or even just bash and cat on gateway, see last example!) and is allowed to not use a pty to be 8bits clean, it's possible to establish a tunnel through ssh. Here are 4 examples, improving upon the previous:
Basic example working once
(having it fork would require one ssh connection per tunnel, not good). Having to escape the : for socat to accept the exec command:
term1:
$ socat tcp-listen:12345,reuseaddr exec:'ssh user1@gateway exec socat - tcp:devbox:22',nofork
term2:
$ ssh -p 12345 user2@localhost
term1:
user1@gateway's password:
term2:
user2@localhost's password:
Reversing first and second addresses makes the socket immediately available
socat has to stay in charge, so no nofork:
term1:
$ socat exec:'ssh user1@gateway exec socat - tcp:devbox:22' tcp-listen:12345,reuseaddr
user1@gateway's password:
term2:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Using a ControlMaster ssh
allows to fork while using only a single ssh connection to the gateway, thus giving a behaviour similar to the usual port forwarding:
term1:
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork exec:'ssh -o ControlPath=~/mysshcontrolsocket user1@gateway exec socat - tcp:devbox:22'
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Having only bash and cat available on gateway
By using bash's built-in tcp redirection, and two half-duplex cat commands (for a full-duplex result) one doesn't even need a remote socat or netcat. Handling of multiple layers of nested and escaped quotes was a bit awkward and can perhaps be done better, or simplified by the use of a remote bash script. Care has to be taken to have the forked cat for output only:
term1 (no change):
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork 'exec:ssh -T -o ControlPath=~/mysshcontrolsocket user1@gateway '''exec bash -c '''"exec 2>/dev/null 8<>/dev/tcp/devbox/22; cat <&8 & cat >&8"'''
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
answered Dec 31 '18 at 5:02
A.BA.B
4,7021725
add a comment |
As long as one can execute socat locally and on gateway (or even just bash and cat on gateway, see last example!) and is allowed to not use a pty to be 8bits clean, it's possible to establish a tunnel through ssh. Here are 4 examples, improving upon the previous:
Basic example working once
(having it fork would require one ssh connection per tunnel, not good). Having to escape the : for socat to accept the exec command:
term1:
$ socat tcp-listen:12345,reuseaddr exec:'ssh user1@gateway exec socat - tcp:devbox:22',nofork
term2:
$ ssh -p 12345 user2@localhost
term1:
user1@gateway's password:
term2:
user2@localhost's password:
Reversing first and second addresses makes the socket immediately available
socat has to stay in charge, so no nofork:
term1:
$ socat exec:'ssh user1@gateway exec socat - tcp:devbox:22' tcp-listen:12345,reuseaddr
user1@gateway's password:
term2:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Using a ControlMaster ssh
allows to fork while using only a single ssh connection to the gateway, thus giving a behaviour similar to the usual port forwarding:
term1:
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork exec:'ssh -o ControlPath=~/mysshcontrolsocket user1@gateway exec socat - tcp:devbox:22'
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Having only bash and cat available on gateway
By using bash's built-in tcp redirection, and two half-duplex cat commands (for a full-duplex result) one doesn't even need a remote socat or netcat. Handling of multiple layers of nested and escaped quotes was a bit awkward and can perhaps be done better, or simplified by the use of a remote bash script. Care has to be taken to have the forked cat for output only:
term1 (no change):
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork 'exec:ssh -T -o ControlPath=~/mysshcontrolsocket user1@gateway '''exec bash -c '''"exec 2>/dev/null 8<>/dev/tcp/devbox/22; cat <&8 & cat >&8"'''
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
answered Dec 31 '18 at 5:02
A.BA.B
4,7021725
add a comment |
As long as one can execute socat locally and on gateway (or even just bash and cat on gateway, see last example!) and is allowed to not use a pty to be 8bits clean, it's possible to establish a tunnel through ssh. Here are 4 examples, improving upon the previous:
Basic example working once
(having it fork would require one ssh connection per tunnel, not good). Having to escape the : for socat to accept the exec command:
term1:
$ socat tcp-listen:12345,reuseaddr exec:'ssh user1@gateway exec socat - tcp:devbox:22',nofork
term2:
$ ssh -p 12345 user2@localhost
term1:
user1@gateway's password:
term2:
user2@localhost's password:
Reversing first and second addresses makes the socket immediately available
socat has to stay in charge, so no nofork:
term1:
$ socat exec:'ssh user1@gateway exec socat - tcp:devbox:22' tcp-listen:12345,reuseaddr
user1@gateway's password:
term2:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Using a ControlMaster ssh
allows to fork while using only a single ssh connection to the gateway, thus giving a behaviour similar to the usual port forwarding:
term1:
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork exec:'ssh -o ControlPath=~/mysshcontrolsocket user1@gateway exec socat - tcp:devbox:22'
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Having only bash and cat available on gateway
By using bash's built-in tcp redirection, and two half-duplex cat commands (for a full-duplex result) one doesn't even need a remote socat or netcat. Handling of multiple layers of nested and escaped quotes was a bit awkward and can perhaps be done better, or simplified by the use of a remote bash script. Care has to be taken to have the forked cat for output only:
term1 (no change):
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork 'exec:ssh -T -o ControlPath=~/mysshcontrolsocket user1@gateway '''exec bash -c '''"exec 2>/dev/null 8<>/dev/tcp/devbox/22; cat <&8 & cat >&8"'''
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
answered Dec 31 '18 at 5:02
A.BA.B
4,7021725
As long as one can execute socat locally and on gateway (or even just bash and cat on gateway, see last example!) and is allowed to not use a pty to be 8bits clean, it's possible to establish a tunnel through ssh. Here are 4 examples, improving upon the previous:
Basic example working once
(having it fork would require one ssh connection per tunnel, not good). Having to escape the : for socat to accept the exec command:
term1:
$ socat tcp-listen:12345,reuseaddr exec:'ssh user1@gateway exec socat - tcp:devbox:22',nofork
term2:
$ ssh -p 12345 user2@localhost
term1:
user1@gateway's password:
term2:
user2@localhost's password:
Reversing first and second addresses makes the socket immediately available
socat has to stay in charge, so no nofork:
term1:
$ socat exec:'ssh user1@gateway exec socat - tcp:devbox:22' tcp-listen:12345,reuseaddr
user1@gateway's password:
term2:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Using a ControlMaster ssh
allows to fork while using only a single ssh connection to the gateway, thus giving a behaviour similar to the usual port forwarding:
term1:
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork exec:'ssh -o ControlPath=~/mysshcontrolsocket user1@gateway exec socat - tcp:devbox:22'
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
Having only bash and cat available on gateway
By using bash's built-in tcp redirection, and two half-duplex cat commands (for a full-duplex result) one doesn't even need a remote socat or netcat. Handling of multiple layers of nested and escaped quotes was a bit awkward and can perhaps be done better, or simplified by the use of a remote bash script. Care has to be taken to have the forked cat for output only:
term1 (no change):
$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:
term2:
$ socat tcp-listen:12345,reuseaddr,fork 'exec:ssh -T -o ControlPath=~/mysshcontrolsocket user1@gateway '''exec bash -c '''"exec 2>/dev/null 8<>/dev/tcp/devbox/22; cat <&8 & cat >&8"'''
term3:
$ ssh -p 12345 user2@localhost
user2@localhost's password:
answered Dec 31 '18 at 5:02
A.BA.B
4,7021725
edited Dec 31 '18 at 5:32
answered Dec 31 '18 at 5:02
A.BA.B
4,7021725
answered Dec 31 '18 at 5:02
A.BA.B
4,7021725
answered Dec 31 '18 at 5:02
A.BA.B
4,7021725
4,7021725
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f406695%2fhow-to-ssh-forwarding-with-allowtcpforwarding-set-to-no%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The gateway has AllowTcpForwarding set to false but does the remote box? if it does not why not forward to it? Oh I understand now... Since you can access the router you can probably port forward on the router. Why not do that?
– jdwolf
Nov 24 '17 at 2:41