Monday, August 31, 2015

Multi Hopping SSH Tunnel


Let's assume you have two remote systems (System A and System B) of which one (System A) is accessible by its Public IP but the other does not have the Public IP or it may be behind the firewall. This situation prevents you from accessing the second system directly from your home.

You can access (SSH) the second system (System B) in two steps.

1. From your home, Log into System A
2. From System A, Log into System B

But, what if you want to access System B directly from your home? 

[Note: HostName, UserName, Keys, IP Address used here are only for example]

Multi-Hop SSH Tunnel

Here, we would use a built in SSH feature known as SSH Hopping using an Intermediate Host (System-A in this case);

ssh -t user@Intermediate Host ssh user@Destination Host

-t switch creates a pseudo terminal to execute some commands. (in this case it executes the ssh to System B)

For example;

# ssh -i id_rsa -t centos@xxx.xxx.xxx.xxx ssh -i id_rsa_private centos@172.16.20.12
Last login: Mon Aug 31 13:05:40 2015 from 172.16.20.13
[centos@ins-2 ~]$

Let's understand what it is doing; 

1. ssh -i id_rsa -t centos@xxx.xxx.xxx.xxx
It opens an ssh connection to server at xxx.xxx.xxx.xxx IP. The "-t " switch actually creates an
        pseudo terminal on that server to execute the following command;

[Note:  The private key "id_rsa" is stored under the current path of execution of the ssh
        command]

2. ssh -i id_rsa_private centos@172.16.20.12
[Note: The private key "id_rsa_private" is stored under the home directory of user "centos" on
        "System A with Pub IP xxx.xxx.xxx.xxx" ]

How about doing the following from your home system?
ssh centos@172.16.20.12

Lets tweak it further, for this we would be requiring NC (Netcat) package on our intermediate host(s).

1. Start an SSH agent on our Home system and store the "Private Key"

# eval $(ssh-agent -s)
Agent pid 3067

# ssh-add id_rsa
Identity added: id_rsa (id_rsa)

.2 Put the following contents in the file ~/.ssh/config 

Host someserver
  HostName xxx.xxx.xxx.xxx
User centos
Port 22

Host 172.16.20.12
HostName 172.16.20.12
User centos
ForwardAgent yes
Port 22

ProxyCommand ssh -q xxx.xxx.xxx.xxx nc %h %p

3. Now, from your home system do a direct SSH to System B i.e. 172.16.20.12 as shown 
        below;

# ssh centos@172.16.20.12
Last login: Mon Aug 31 16:07:18 2015 from 172.16.20.13
[centos@ins-2 ~]$
By at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)