SSH, via a Jump Host, with a dynamic port number

ssh ssh-tunnel

Solution 1:

Second partial solution, inspired by @anx...

Create a socket file

ssh -R '/path/to/socket-file:localhost:22' tunnel@jh

Then, to use this socket (from the Jump Host), I can use socat:

ssh -o "ProxyCommand socat - UNIX-CLIENT:/path/to/socket-file" localhost

The use of socat seems like an unnecessary step, where I'm sure there must be a way to get the ssh command to use the socket file directly, but I can't find it yet.

I've also not found how to use this socket file from my computer (as ProxyCommand is run on localhost, not on the JumpHost).

I should also note; as the tunnel account (on the Jump Host) is very restricted (it's only there to establish these tunnel connections), I need to set StreamLocalBindMask=0111 so my account on the Jump Host can use this socket file. Likewise, the old socket file should be removed if a new connection is established, via StreamLocalBindUnlink=yes.

Both of these options need to be set on the Jump Host, in "/etc/ssh/sshd_config":

Match User tunnel
  StreamLocalBindMask 0111
  StreamLocalBindUnlink yes

Unfortunately Match rules are ignored in "/etc/ssh/sshd_config.d/tunnel.conf" before OpenSSH 8.4, released September 27 2020 (bug report), and this isn't currently available on Ubuntu 20.04.1 LTS.

Related

Should I care that the "server certificate does NOT include an ID which matches the server name"?
Connect two local networks
clone nvme drive with 4096 sector size to ssd with 512 sector size
How to deal with outgoing spam flooding with Postfix
Use AWS WAF to block traffic to my lightsail instance
How do you change host management credentials for a cluster in System Center Virtual Machine Manager?
I can't run Ghostbusters the Videogame on Windows 8
Agent A: Lightbulb and a Hammer
How can I get to the Share menu without taking a screenshot?
What are the missable achievements in The Dark Eye: Chains of Satinav?
What are the missable achievements in Memoria?
Where are save games stored?