[TriLUG] sftp/ssh to boxes behind a firewall

Aaron S. Joyner aaron at joyner.ws
Wed Apr 4 09:31:30 EDT 2007


Roy Vestal wrote:
> I'm looking for the best/easiest way to do this.
> 
> I have a few machines behind my firewall at home. I have 1 port setup
> for ssh/sftp to one machine. However, i have a second machine I need to
> get to from time to time.
> 
> Currently, I ssh to machine 1, then have to ssh to machine 2. Is there
> anyway, using ssh to create a kind of tunnel like I can with vnc over
> ssh, that will allow me to directly ssh/sftp to the second machine?  For
> example, if I have a document on machine 2, I currently ssh to machine
> 1, sftp the document from machine 2 to machine 1, then sftp the document
> from machine 1 to the workstation I'm on. Is there a better/easier way
> that is still using ssh/sftp?
> 
> TIA,
> Roy

Of the provided solutions, I tend to use a combination of David's
(OpenSSH port forwarding) and Alan's (OpenVPN).  For consistent
environments I control, that I frequently need access to, there's no
substitute to setting up OpenVPN and having a permanent route on my
laptop into that network.  This is what I do for my home network, for
example.

In the case where you want a lighter solution, for whatever reason (you
don't run the network, it's not convenient to setup OpenVPN, you only
occasionally need access, etc), it makes much more sense to use SSH port
forwarding.  You can expand on David's suggestion, and implement these
tunnels via a .ssh/config file.  It accomplishes the same tasks, but
saves you an awful lot of repetitive typing.  A couple entries like this
on your laptop may go a long way towards making your life easier:

Host gateway
   HostName your.external.dns.name.example.com
   LocalForward 22222 an.internal.hostname:22

Host internalbox
   HostName 127.0.0.1
   HostKeyAlias an.internal.hostname
   Port 22222
   ForwardX11 yes
   Compression yes

This is a very limited example, in which you would be able to:
ssh gateway   # enter password, leave connection open
ssh internalbox  # in another window / screen / whatever

As long as the first connection stays up, the 2nd one will work just
fine.  You can of course expand on this, with any of the options from
ssh_config(5).  I just threw in the ForwardX11/Compression as a teaser.  :)

Happy Connecting!
Aaron S. Joyner



More information about the TriLUG mailing list