How to ssh to an unreachable remote machine by tunneling through a server that everyone can reach?

Machines:

Let's call my machine macbook.
I have a server on tah interwebs. Call it server.
I have a Mac Mini elsewhere that I can access via iChat screen sharing. Let's call it mini.

Reachability:

server can see neither macbook nor mini.
macbook can see server but not mini.
mini can see server, but not macbook.

Screen sharing is slow. I want an SSH connection to mini. A direct connection is impossible because of routers, NAT, etc.

What I want to do is to connect both macbook and mini to server via SSH, creating the approriate tunnels, so that from macbook I can run a ssh … command to connect to mini by tunneling the connection through server.

So my question is, what commands do I have to run, on which machines, to make this work?

To keep it simple, please use server, mini, macbook as hostnames in your answers.

kch

Posted 2010-08-02T06:53:39.243

Reputation: 1 822

you could short circuit that by setting up ipv6 on both machines gogo6 is one option - its a little work, but it'll end up easier on the long run – Journeyman Geek – 2010-08-02T10:19:38.853

Yeah that would be awesome but I don't even know where to start. Care to post an answer? – kch – 2010-08-02T11:30:50.540

Answers

Only one ssh tunnel is needed. From the mini:

ssh -N -R 0.0.0.0:8022:localhost:22 serverUser@server

Now you can just connect from macbook onto server with ssh -p 8022 miniUser@server

Be sure to have GatewayPorts set to yes in the server's /etc/ssh/sshd_config.

Additionally you may want to define some stuff in ~/.ssh/config:

Host gate.mini
    HostName server
    Port 8022
    HostKeyAlias mini

This allows you to do the more coherent ssh miniUser@gate.mini, and at the same time not be bothered with server fingerprint mismatches.

Lloeki

Posted 2010-08-02T06:53:39.243

Reputation: 266

This sounds awesome, but I'm getting an error when trying to connect from macbook:

ssh: connect to host MyActualServer port 8022: Connection refused – kch – 2010-08-06T14:51:24.517

Could this be to blame? "Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5))." – kch – 2010-08-06T14:53:29.893

Ok, that was it, I was able to get it to work by setting GatewayPorts to yes in /etc/ssh/sshd_config. Can you please update your answer with this pesky detail? – kch – 2010-08-06T14:56:50.607

On the Mac Mini do:

ssh -R 1234:localhost:22 serverUser@server

This will forward connections to port 1234 of the server to port 22 on the Mac Mini.

Then, on the MacBook do:

ssh -L 1235:localhost:1234 serverUser@server

This will forward connections to port 1235 on the MacBook to port 1234 on the server (which will then get forwarded to the Mac Mini by the above command).

Finally, to get your actual connection, on the MacBook do:

ssh -p 1235 miniUser@localhost

Which connects to port 1235 on the MacBook, which gets forwarded to port 1234 on the server, which gets forwarded to port 22 on the Mac Mini. Ports 1234 and 1235 can be set to more or less whatever you like - and can be the same (I used different numbers to make the explanation more clear). Similarly, port 22 should be changed if SSH on your Mac Mini is listening on a different port.

Scott

Posted 2010-08-02T06:53:39.243

Reputation: 5 323

Awesome. Short and to the point. – kch – 2010-08-02T11:11:18.167

So, I fixed your commands and posted a new answer because I don't have rep to edit your answer directly. If you please do this edit I'll gladly accept your answer and remove mine. – kch – 2010-08-02T11:30:16.407

My apologies. I'm always forgetting to add the server in when I do port forwarding. I end up searching through my terminal history and finding the command from when I last used it - far easier than actually learning them. ;-) Does the third command in your answer actually work? By my understanding that would attempt to connect to mini directly rather than going through the tunnel. – Scott – 2010-08-02T12:45:24.377

oops, I meant localhost there. – kch – 2010-08-02T13:11:01.347

Why are you omitting the -N option? Not that it's necessary, but do you not prefer it? – kch – 2010-08-02T13:13:17.760

lol @ substituting mini for localhost - at least I'm in good company with getting my SSH commands mixed up. :-)

As for no -N: no, I prefer not to use it - it reminds me that I have the connection open, and saves me fiddling around with ps when I want to kill it. It's not strictly essential to solving the problem either, and can easily be added by those, such as yourself, who'd rather use it. – Scott – 2010-08-02T15:04:25.930

-N is not -f. The process remains in foreground, you just don't get a shell. So, you don't have to fiddle with ps, just ^c.

The advantage for me is exactly in not having a shell open. Otherwise I'm inclined to think it's just an idle remote shell and close it, and daaamn, just lost my tunnel. – kch – 2010-08-03T02:14:01.590

Unless I put it in the background, it leaves me with an unusable terminal window. If that's the case, I'd rather have the shell in case I need to execute commands on the other computer - which, nine times out of ten, I do. Anyway, it's obviously a matter or preference. You prefer it with -N, I prefer it without. – Scott – 2010-08-03T08:51:04.583

Yes, a matter of preference of course. I was just rambling on so as to cater to the endless curiosity of future visitors. – kch – 2010-08-06T14:58:06.547

You can tunnel any command through an ssh session. That means you can also tunnel a ssh command through ssh.

This would look like this:

ssh -t userOnServer@url.of.server ssh userOnMini@url.of.mini

This opens an ssh session to server and from there instantly opens a second ssh session to mini. With an ssh tunnel this should work without problems from your macbook machine. At least given that mini is reachable from server.

Requirements:

ssh on macbook
ssh server and ssh client on server
ssh server and ssh client on mini

It might be nifty to make an alias so you don't have to type this every time you want to connect. Also think about password less connection to server so you don't have to enter 2 passwords for this tunneled connection.

fgysin reinstate Monica

Posted 2010-08-02T06:53:39.243

Reputation: 2 228

server can't see mini. – kch – 2010-08-02T07:56:20.010

updated question with reachability details. sucks that you put so much effort into a great answer that's however useless :P – kch – 2010-08-02T08:06:31.863

Never mind that :) – fgysin reinstate Monica – 2010-09-02T08:37:18.420