[Cialug] SSH Trickery

Renegade Muskrat dramaley at spatulacity.cx
Mon Nov 21 18:04:40 CST 2005 

I had to set up something similar when i changed jobs and was subjected 
to more stringent access to my work machine from home:

http://www.hackinglinuxexposed.com/articles/

That link has lots of useful articles on it. The ones i used to do SSH 
bouncing were:

SSH Bouncing - How to get through firewalls easily
http://www.hackinglinuxexposed.com/articles/20040830.html
SSH Bouncing - How to get through firewalls easily, Part 2
http://www.hackinglinuxexposed.com/articles/20040923.html

At 03:27 PM 11/21/2005 -0800, you wrote:
A friend recently pointed this method out to me, and it's too handy not 
to pass on.

I've got two networks (work and home) that severly limit inbound 
connections (nat at home, restrictive firewall/IDS/etc at work). On 
both ends, there are "bastion" hosts that allow inbound ssh. From that 
host, I can connect on to anywhere on the network. Works fine, but can 
be a PITA when I want to say rsync a copy of the x-org debs from the 
mirror at work to the fileserver at home. I used to have a nasty ad-hoc 
port-forwarding mess. Nasty. That and ssh listening on odd ports on my 
nat box to reach inside hosts... hard to maintain, didn't always work 
nice with scp/rsync/X/etc. Enter the OpenSSH ProxyCommand option.... I 
put the stanzas below into ~/.ssh and life is good. It assumes you've 
got netcat installed on your bastion host, and I think the -q option to 
nc might be a debian-ism, but oh so nice.


Host *.work.gov
    ProxyCommand ssh -a -x ip.of.bastion.host  nc -q 1 %h %p
    Protocol 2
    Cipher blowfish-cbc
    Compression yes
    Ciphers 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    EscapeChar ~
Host *.home.org
    ProxyCommand ssh -a -x ip.of.home.gateway nc -q 1 %h %p
    Protocol 2
    Cipher blowfish-cbc
    Compression yes
    Ciphers 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    EscapeChar ~
                                                -- Dan
   --------------------------------------------------------------------
             "I'm still sane on three planets and two moons."
   --------------------------------------------------------------------
       Daniel Ramaley                  3118 Cottage Grove Ave Apt 8
       dramaley at spatulacity dot cx        Des Moines, Iowa 50311
       http://www.spatulacity.cx/                    (515) 271-5233
   --------------------------------------------------------------------
        WARNING: REDISTRIBUTION OF THIS MESSAGE MAY BE IN
                 VIOLATION OF APPLICABLE COPYRIGHT LAWS.
                 THIS MESSAGE NOT GUARANTEED Y-TO-K COMPLIANT.

More information about the Cialug mailing list