The answers to the linked question have various other solutions to that. (On linux as an alternative to being root for reserved ports you can use POSIX capabilities, see, however this will not work on standard versions of OpenSSH as it has an extra hard-coded check on port numbers, unless compiled with NO_IPPORT_RESERVED_CONCEPT defined. Using a SOCKS proxy ( -D) as suggested may cause some surprises, depending on SOCKS/DNS/firewall/NAT configuration. Using a non-privileged port may work, again depending on your site: ssh -L 1080:127.0.0.1:80 I'd strongly suggest not allowing ssh login for root. To forward port 80 you only need to be root on the desktop, ''not'' the webserver. or if the site name must match due to the virtual-hosting set up then you'll need to add that to your desktop hosts file: 127.0.0.1 You could define an alias on the server vhost so that you can use one name for 127.0.0.1 like "", and the real name to go directly, if that's ever going to be useful - forgetting to remove entries from the hosts file is a good way to cause confusion. To remove all the changes described here do the following.Once the tunnel is set up (with -L) you need to change the URL you use, e.g. Then do sudo systemctl daemon-reload and sudo systemctl restart sshtunnel. On the restricted machine, prepend a colon (':') on the port number in the /etc/systemd/system/rvice file, so the ssh option is -R :9001:localhost:22 rather than -R 9001:localhost:22. Then sudo systemctl reload sshd if you changed this. On the server, enable GateWayPorts yes in /etc/ssh/sshd_config.
SETTING UP REVERSE SSH TUNNEL LINUX PASSWORD
Be aware you are opening a public port directly connecting to the restricted machine if you do this so this approach should be avoided, or at least disable password authentication and only allow ssh key authentication on the restricted machine. for use by users who don't have ssh access to the server itself. Some users may want to make the tunnel port also externally accessible on the server public network interfaces, e.g. Either you connect to this locally from within that server, or if you are connecting from another machine then you use the ssh ProxyJump configuration keyword to automatically redirect to the restricted machine via the server proxy, again via the localhost interface. The tunnel is available by making an ssh connection to the port on the server localhost interface. On the restricted machine, create an ssh key pair in /etc/sshtunnel/ with an empty/no pass-phrase:Įnter fullscreen mode Exit fullscreen modeĮxternal public access via server (optional)įor most users, the above configuration is completely sufficient. So autossh is not required, we can implement an automatically maintained ssh tunnel using standard ssh and systemd alone. Note that autossh was previously often used for this (and nearly all existing online tutorials about reverse ssh tunnels use autossh) but autossh is redundant nowadays since modern openssh versions can monitor link health and exit if the link fails, and systemd can then be used to restart the ssh tunnel. Of course you should always check you have permission to do this with whoever controls the restricted network. With the reverse tunnel in place, you can simply ssh to that port on your server to get a tunnelled ssh session back to the restricted machine through the restricted firewalls. This post describes how you can set up a reverse ssh tunnel initiated and maintained from that restricted machine to a port on a Linux server elsewhere on the internet that you control. Let's call that the restricted machine and we assume you can make changes to it, e.g. Say you have a Linux machine to which you want to ssh to but that machine is behind corporate or other firewalls etc which you have no control over, and thus you can not forward an external port for ssh etc. I did not find a clear modern description of this set-up so have written this post to help others.
0 kommentar(er)
