Which SSH config option stops me from SSH'ing through a SSH tunnel?

1

I am trying to connect directly to a my work computer (work) which is only available via an outside server (outside).

So, the network path is: home » outside » work

Ideally, this should work:

home$ ssh -f -N -L2222:work.example.com:22 outside.example.com
home$ ssh localhost -p 2222  ## This just hangs

It doesn't, though. I can also replace work.example.com with an entirely different server, with the same result. The steps are correct, because I can use the same logic to connect to the work host's web server:

home$ ssh -f -N -L10080:work.example.com:80 outside.example.com
home$ lynx http://localhost:10080/  ## work's pretty web page is displayed

Also, I can SSH to work if I log into outside first:

home$ ssh outside.example.com
outside$ ssh work.example.com
work$  ## Yay, success!

Finally, this also works in a scenario with different servers involved:

home$ ssh -f -N -L2222:different.example.com:22 another.example.com
home$ ssh localhost -p 2222
different$  ## Success!

So, I guess there's some SSH configuration on outside that stops me from using the direct approach, since this works with different servers.

Home runs OpenBSD 4.6 with OpenSSH_5.3. Outside runs MacOSX 10.7.2 with OpenSSH_5.6p1. Work runs CentOS 6.0 with OpenSSH_5.3p1.

EDIT: The solution glared straight at me as I came to work today. Little Snitch (a firewall) had been blocking my connections, and had cheerfully opened quite a few "Do you want to allow this connection" dialogues. Thanks for the help; I'm granting @golimar the correct answer for this one, since it was a pretty plausible solution.

neu242

Posted 2011-12-17T12:55:25.473

Reputation: 1 316

Are you sure that outside sees work as work.example.com? If outside is a firewall/proxy that's actually on the same internal network as work, then work.example.com may resolve differently depending of outside is resolving it, or home is resolving it. Run nslookup work.example.com on both home and outside and confirm that the IP returned is the same. – Darth Android – 2011-12-17T16:48:10.780

Outside does the resolving of work, and home doesn't have a clue who work is. Anyway, since the port 80 example above works, that wouldn't have been a problem... – neu242 – 2011-12-17T19:03:13.443

Answers

1

It's probably the options AllowTcpForwarding and/or GatewayPorts in the sshd_config file in "outside"

If that's the case, your ssh client should say something about it (in a log file or with the verbose option). I saw this in Putty on windows so I can't tell what the ssh command does...

golimar

Posted 2011-12-17T12:55:25.473

Reputation: 846

Good advice, but no success I'm afraid. I set both to yes and restarted sshd on "outside". The ssh client connects ("Connection established") and tries to read files in .ssh (last entry: "debug1: identity file /home/myuser/.ssh/id_dsa type -1"), then it just hangs... – neu242 – 2011-12-17T14:40:42.537

Asked: 2011-12-17T12:55:25.473

Viewed: 312 times

Active: 2011-12-19T07:35:12.517