Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [jschauma@netmeister.org] [@jschauma] [RSS]

Nested SSH Tunnels

Suppose you have a set of hosts S that you can only reach via ssh from host V by authenticating against a RADIUS server R and tunnelling your connections through a proxy server P from R.

So you set up an ssh config with the appropriate tunnels on V and everything is well. When you're on V, you can reach any host in S via ssh.

Now suppose that host R can only be reached from V, but not from your local host L. So what you want is an ssh configuration that allows you to tunnel every connection to a host in S through V to R (and thus from there through P to the final host).

The configuration below allows you to do just that:

On V, add to your ~/.ssh/config:

Host proxy_from_v
        HostName R
        LocalForward 9342 P:22

Host *.S
        ProxyCommand /usr/bin/ssh -p 9342 localhost /usr/local/bin/nc %h %p

On L, add the following to your ~/.ssh/config:

Host proxy_to_v
        HostName V
        LocalForward 9922 localhost:9342

Host *.S
        ProxyCommand /usr/bin/ssh -p 9922 localhost /usr/local/bin/nc %h %p

Then, to setup the ssh tunnel, run:

ssh -t proxy_to_v "ssh -t proxy_from_v"

This gets you to V and from there sets up the proxy through R to P.

Having sorted this out without a whiteboard makes me feel like after having a Pangalactic Gargleblaster. You may draw yourself the corresponding picture with clouds representing the interweb and pipes with numbers on them the tunnels. Don't forget to get the arrows right! :-)

February 23, 2007


[Of course it runs NetBSD] [index] [Brilliant Ideas (I)]