[Univ of Cambridge] [Dept of Engineering]

ssh - two hop tunneling

Introduction

The secure shell, ssh, is often used as a transport mechanism for other applications, such as rsync, cvs, or vnc .

Sometimes it is desirable or necessary to use such a transport between two hosts that do not have direct connectivity (perhaps because of a firewall arrangement), but where there is an intermediate machine that has (ssh) connectivity to both endpoints.

This can be achieved by first using ssh to port forward the port that ssh normally connects to. In the following examples, the machine you are starting from is called "myhome.example.org", the intermediate machine is called "gateway.example.com", and the machine you really want to connect to is called "server.example.com" .

First you run (on myhome.example.org) the command to set up the tunnel. You can choose either of the two examples below; the first uses the ssh1 protocol, the second uses the ssh2 protocol. 

ssh -f -L 51526:server.example.com:22 -1 gateway.example.com sleep 3600
or 
ssh -f -N -L 51526:server.example.com:22 -2 gateway.example.com
The effect of doing this will be that ssh connections to port 51526 on your machine (myhome.example.org) will in fact be tunneled through to the target machines. You can replace "51526" by any number that you choose between 49152 and 65535. Given a less strict interpretation of port number allocation, you can probably fairly safely choose any number between 1024 and 65535.

The ssh1 protocol version above will only set the port up for an hour ("sleep 3600").

In order for this to work, you'll need to make sure that there are no "known hosts" file entries for localhost on your machine (eg in ~/.ssh/known_hosts).

Having done this, you can now use "ssh -p 51526" as a command to make a "direct" ssh connection to server.example.com, even though there is no direct connectivity available. So, for instance, an rsync command line might look like: 

rsync -SHar -e 'ssh -p 51526' localhost:/somewhere/on/server /localdir
This will synchronise from server.example.com:/somewhere/on/server to myhome.example.org:/localdir .

Some caution is necessary when doing this, as the use of "localhost" to refer to the remote server can easily mislead!

Similar techniques should be possible by using the port forwarding facilities in Windows clients such as putty.

[Help]
Updated on 16th Dec, 2004
Patrick Gosling
jpmg@eng.cam.ac.uk