I am not sure if I am answering your question, but I feel there is a brick missing in what you intend to do, so I will add the missing link and risking that this was not your question.
What you intent to do is possible with SSH and not that difficult to setup, but let me start with a disclaimer: SSH tunneling is illegal in many work environments and can get you fired, even if your purpose is to reach your own home server with data/backups.
In order to reach the lets say server at home ("home") behind your ISP's NAT from a laptop on a public network, say an internet cafe ("laptop") you would do the following.
First you need a SSH-server running which is reachable in the pubic internet (SSShub).
Connect "home" permanently with "SSHhub" and remote forward a port from "SSHhub" to your "home" server. Take a look at autossh to make sure that the connection persists if you are away and check the sshd_config man page to get the remote forwarding right. On your home machine you start
autossh -M 0 -Nf SOCKSUSER@SSHHUB -r 8022:localhost:22
This will forward port 8022 on the public SSHhub server to your home servers SSH port 22.
Now you are sitting in an internetcafe with your laptop and local forward some unrestricted port to the SSHhub on port 8022 (using the above example). So on your laptop you start
autossh -M 0 -Nf SOCKSUSER@SSHHUB -l 8122:localhost:8022
When this is configured you can SSH into your home machine from your laptop by starting
ssh SOCKSUSER@localhost -p 8122
The ssh session forwarded from localhost:8122 on your laptop to localhost:8022 on the SSHhub and from there to localhost:22 on your home server.
You will be asked for the account password. All this will give you some headaches with having both a public key from the laptop and the home server in the .ssh/authorized_keys file of the SSHhub. PasswordAuthentication no
in the /etc/ssh/sshd_config file should be ok, since you are logging in from inside the localhost, but check it yourself. You might want to set it to yes while debugging.
Check the autossh manpage for the -M 0
option. This will "ping" the SSH server through the encrypted tunnel otherwise you have to configure monitoring ports with the -M
option. -M 0
requires that you set the ServerAlive variables in the .ssh/config file like so
ServerAliveInterval 15
ServerAliveCountMax 2
TCPKeepAlive no
You can have them also inline I think.
Now I can answer you original question: Is it possible to login to your home machine behind NAT without RSA public key on the laptop/internet cafe machine. The answer is "yes" (as far as I remember) in the above scenario, when you permit PasswordAuthentication yes
on the SSHhub, so that you can connect from any machine (having SSH client available) to the SSHhub.
Very late and probably wrong answer, but I used some time to figure it out and I guess others are wondering about it, too.