SSH server behind a firewall

[Bo...@b.com]

I currently have a Redhat Linux server set up behind a firewall which
only allows connections over port 80 (http). If I want to SSH to this
machine, I need to SSH to a server behind the firewall which has port
22 open, then SSH from there across to my Linux box. Can anyone think
of a way I could get around this?

[Nico Kadel-Garcia]

<Bo...@b.com> wrote in message
news:btkn8u4pb7nlh6pvu...@4ax.com...

Run an ssh server on an unfirewalled port, typically those > 1024. Of
course, if your firewall administrator does not want you running this
server, you will have created a future problem for yourself when he or she
notices....

[smn]

You could do what I do to get into my office from home. I have a FreeBSD
box (A) running OpenSSH-3.1 with sshd listening on ports 22 and 2200. A
normal user will background a ssh session (which authenticates using
public keys) to my home computer (B) using syntax like this:
ssh -p 22 -C -R 2200:IP_of_A:2200 -N IP_of_B

Then from my home computer I can ssh -p 2200 localhost and get forwarded
to the office computer.

Another option you may wish to consider is opening a port on the linux
computer, or even still redirecting a port from the computer behind the
firewall to a port on the linx server.

- Scott

<Bo...@b.com> wrote in message
news:btkn8u4pb7nlh6pvu...@4ax.com...

[Bo...@b.com]

Thanks for the suggestions, but as far as I can tell, I don't think
either of these would work. In a few months, I will no longer have
access to the machines that I have been using to ssh around the
firewall. The firewall admin will not open any port, and port 80 is
the ONLY port that is opened to the outside world.

Perhaps this better describes the situtation. Soon, machine B will be
out of the picture, and I was wondering if there could still be a way
to get into A from the outside.

CURRENT SITUATION

(A) (B)
Linux machine SSH Another machine
I want to access <----------------- I can access
^ ^
| Port 80 Only | Port 80, Port 22 only
| | (I think)
========+===============Firewall==============+===============
| |
| |
| No SSH SSH |
|--------------- Me ----------------|

[smn]

Interesting setup, but my office firewall is possibly more restrictive.
Only port 21, 23, and 80 are allowed out. Established connections are
allowed in. Which means at home I have sshd listen on the external
interface on ports 22 and 23. As long as I can make an established TCP
connection from behind the firewall to my home computer I can get back to
the office.

This is why my "tunnel" originates in the office and terminates at my home
computer. Once that is done I can open an ssh session to the forwarded
port on my home computer and communicate with the office computer.

If only port 80 is open outbound you may be limited to something similar
where sshd is listening at home on port 80. I don't see where you would
have a problem if you established an ssh session from the office computer
to home - that's *all you need* to start.

- Scott

<Bo...@b.com> wrote in message
news:tnop8u88sgfjneecr...@4ax.com...

[Bo...@b.com]

I will, come May, have no physical access to the machine sitting
behind the firewall to open an ssh tunnel back home. I think that is
what you were talking about, and I don't think that will work.

Am I correct?

--James

[smn]

Well, from the computer you can get to you can forward the connection to
the computer you won't be able to get to.

Home <---> Computer B <----> Computer C

From computer B,
ssh -p 22 -R 22:comp_C_ip:2200 -N home_ip

Try that.

- Scott

<Bo...@b.com> wrote in message
news:mvus8u86j5sgquclc...@4ax.com...

[Bo...@b.com]

Again, I think the way I described this may be causing some confusion.
Lets start over with this scenario:

|
Home <----------|----------> Linux machine running SSH
|
+-Firewall only allowing port 80 http requests

Ignore the other computer, it doesn't exist in the question I am
asking. Assuming I have no access whatsoever to the Linux machine
running SSH behind the firewall, is there anyway I can set up the
Linux machine before I lose physical/logical access to it so that I
can get back in later?

I'm not looking for backdoor access, I will know the person
administering the machine, but I doubt they will want to go out of
their way to actively make this easier for me.

[smn]

Well, I'm not a real expert, but I play one on the internet from time to
time. I know you've metioned you won't have physical access to the
machine and the firewall admin is not playing nicely so you've got
extremely limited options:
1. Port redirection. Have connections from your home machine to port 80
on the web box redirected to a sshd process. This will prevent you from
viewing any web content from that box, but you can get access to the
machine.

2. Back to back door access. Make a page accessible only by you with
user/pass protections which runs a script to do ssh remote forwarding for
you. When the session times out, you'll need to reenter your user/pass to
start the ssh process again. You'll need to set up public key
authentication again, but that's easy.

3. Go talk to your boss and find out why you can't get access to this box
through the firewall from home. Have him "arrange" a solution.

The difficulty increases with each option.

Good luck,
Scott

<Bo...@b.com> wrote in message
news:2ept8uoctur8cav3d...@4ax.com...

[Bo...@b.com]

Scott, this option number two sounds exactly like the answer I was
looking for. Could you point me to a HOWTO or some website that could
explain how I could go about doing this, or could you further describe
this setup?

Thanks,
James