1
I am trying to connect directly to a my work computer (work) which is only available via an outside server (outside).
So, the network path is: home » outside » work
Ideally, this should work:
home$ ssh -f -N -L2222:work.example.com:22 outside.example.com
home$ ssh localhost -p 2222 ## This just hangs
It doesn't, though. I can also replace work.example.com with an entirely different server, with the same result. The steps are correct, because I can use the same logic to connect to the work host's web server:
home$ ssh -f -N -L10080:work.example.com:80 outside.example.com
home$ lynx http://localhost:10080/ ## work's pretty web page is displayed
Also, I can SSH to work if I log into outside first:
home$ ssh outside.example.com
outside$ ssh work.example.com
work$ ## Yay, success!
Finally, this also works in a scenario with different servers involved:
home$ ssh -f -N -L2222:different.example.com:22 another.example.com
home$ ssh localhost -p 2222
different$ ## Success!
So, I guess there's some SSH configuration on outside that stops me from using the direct approach, since this works with different servers.
Home runs OpenBSD 4.6 with OpenSSH_5.3. Outside runs MacOSX 10.7.2 with OpenSSH_5.6p1. Work runs CentOS 6.0 with OpenSSH_5.3p1.
EDIT: The solution glared straight at me as I came to work today. Little Snitch (a firewall) had been blocking my connections, and had cheerfully opened quite a few "Do you want to allow this connection" dialogues. Thanks for the help; I'm granting @golimar the correct answer for this one, since it was a pretty plausible solution.
Are you sure that outside sees work as
work.example.com
? If outside is a firewall/proxy that's actually on the same internal network as work, thenwork.example.com
may resolve differently depending of outside is resolving it, or home is resolving it. Runnslookup work.example.com
on both home and outside and confirm that the IP returned is the same. – Darth Android – 2011-12-17T16:48:10.780Outside does the resolving of work, and home doesn't have a clue who work is. Anyway, since the port 80 example above works, that wouldn't have been a problem... – neu242 – 2011-12-17T19:03:13.443