SSH tunnel for ssh traffic

mike cloaked mike.cloaked at gmail.com
Fri Apr 16 12:21:13 UTC 2010


On Fri, Apr 16, 2010 at 7:24 AM, Matt Domsch <Matt_Domsch at dell.com> wrote:
> On Thu, Apr 15, 2010 at 04:12:20PM +0200, Christoph H?ger wrote:
>> Hi,
>>
>> I need to ssh to some remote VM that sit in a private LAN. For any other
>> service (e.g. RDP) I'd use ssh tunneling just normal.
>> But what do I do for ssh traffic? Since ssh is not host agnostic, it
>> will always complain about localhost having a different RSA key.
>> I just do not want to edit the known_hosts every time I need to connecto
>> to a new machine!
>>
>> Is there some way to tell ssh to use a tunnel directly for a
>> connection?
>
> you want to use ProxyCommand lines in .ssh/config, rather than local
> redirects.
>
>
>
> Host deeper-inside
>     HostName 192.168.1.2
>     ProxyCommand ssh inside nc %h %p
>
> Host inside
>     HostName 192.168.0.2
>     ProxyCommand ssh outside nc %h %p
>
>
> where outside is the public host name/IP, inside is one level inside
> your private network, directly reachable by host outside, and
> deeper-inside is 2 levels deep, directly reachable by host inside.
>
>
> $ ssh deeper-inside
>

One thing that is worth bearing in mind that has caught me out before
is to be aware that you can have everything set up perfectly but the
connections can simply not work!  The reason "could" be that on one of
the machines there is a firewall port forwarding restriction - for
example when I connect to work I have to make an initial connection to
a specific "ssh" gateway to get through the company firewall, that has
been set up so that forwarding can only be done to port 22 and 80 on
machine inside the firewall - all other port forwards are not allowed
- this made for some interesting time wastage until I realised that in
this case any fancy port forwarding was doomed to failure....  may not
be the case for your systems but in my case it meant having to rework
the way I wanted to make connections.

Just another factor that you may not think about when doing
sophisticated networking!

-- 
mike c


More information about the users mailing list