Remote Administration

I have a linux machine that i'd like to be able to SSH into from behind a firewall. I can't forward a port in the firewall (no access). So here is my idea.

A = machine behind firewall
B = neutrally located linux machine
C = my machine

Have a daemon or something run on A that makes a ssh with port forwarding to B. I login to B on the special port.

Ideas? Also, I don't know how to write a script to make sure it stays connected, otherwise i'd have to drive to the physical location each time to re-login.

Thanks.
JP

if c can get to b and b can get to a then:

c ssh to b
b ssh to a

I must have missed something.

Sorry...

A can get to B or C.
B can get to C, but not A.
C can get to B, but not A.

port forwarding works different...

in your case, you would need some way to trigger machine "a" to connect to you (c). you probably take no advantage of "b" unless "c" is using dynamic IP.

it could work like this:
you start a program on "a" that connects to a web server (on "c") every 10 seconds. it calls a php script. if the script´s output is "0", it does nothing, if it is "1", it will start a ssh connection directly to you.

Interesting idea.. the purpose of B is a neutral point so that if I'm at my home or work machine "C" I can get to "A".

Is there some way maybe to have a cron check for a PID for some script, and if not then start it?

Either way, it would have to forward a port from A for me to be able to ssh into A.

M.Hirsch,

are you sure that you can backtrace an ssh connection like that?

I understand the aim here is to get from C to A, which is behind a firewall.

If I was sat on machine C, and saw that a connection had been establised from A, that wouldn't mean that A would accept a connection from me on C

so netstat might show:

tcp 0 0 brezhnev.spiration.:ssh alexis:33800 ESTABLISHED

but brezhnev wouldn't be allowed to ssh back to alexis, unless the iptables were specifically set up to allow it

or have I missed the point?

christo

I think you missed it. See A is behind a firewall, so i can't connect to it from the outside. B is a neutral machine that I can connect to if I'm at work or home or wherever. C is "wherever" I happen to be. I need access to A at any given time, but can't be their physically to start the connection. So the connection port (ssh) would need to be forwarded to a machine that is easily accessable by web.

Hope that clarifies.

Thanks.

-JP

No, (jp), CHR15T0 is absolutely right. you cannot do it. port forwarding forwards a connection that is coming to your pc to another pc, you cannot re-route other pc´s traffic! (unless you have access to "a"´s iptables, but then you don´t need all this here anyway...)

you MUST have "a" make the connection to you, no matter if to "b" or to "c". This is the Webserver-Script-Trigger approach.

it was just an example, to make it work, you would have to:

- write / get kinda ssh proxy for "a" that can open a connection manually (i.e. script triggered).
- you make the proxy connect to you on the one side, to the sshd server on "a" on the other side. since it is running on "a"´s localhost then, you should be able to login.

Take a look at this: http://freshmeat.net/projects/portfwd/

That may be an option. Thanks for that link.

Check this out from the openSSH docs:

http://www.openbsd.org/cgi-bin/man.cgi?query=ssh



This is what I want A to do, create the ssh connection to B forwarding (say) port 8022. That way, I can ssh to B:8022 from C (anywhere).

But if this connection is ever dropped, I want A to re-establish it automatically so I don't have to go there physically to reconnect.

-JP