SSH relay server with OpenSSH
Is it possible to use OpenSSH to relay to other SSH-enabled devices such as routers switches etc? Is this something that can be done without creating a bespoke application on Linux to do it?
Sure; just use SSH port forwarding/tunneling. Start an ssh connection to the "proxy" machine using the following command:
ssh -L$LOCALPORT:$REMOTEHOST:$SSHPORT $PROXYHOST
-
$PROXYHOST
: the machine you've got SSH access to -
$REMOTEHOST
: the machine that $PROXYHOST can connect to, but you can't. Use a hostname or IP that$PROXYHOST
can use to refer to the machine -
$SSHPORT
: the port that sshd is listening for on remotehost; most likely 22 -
$LOCALPORT
: the local outbound port SSH is opening up on your local machine that forwards to port 22 on$REMOTEHOST
Leave that connection up to keep the tunnel working. You might want to also add -N
to the command so that this connection won't bring up a remote shell and you won't accidentally close it later.
Once the tunnel is established, do the following:
ssh -p $LOCALPORT localhost
This attempts an SSH connection to your local machine on the port that's forwarded to the $REMOTEHOST
's SSH port.
Of the presented answers, Zordache's is the the best overall solution. However for posterity, if you simply want to connect ad-hoc without editing your config, use the -t
flag to allocate a pseudo terminal along with executing ssh directly on the relay.
ssh -t relay.example.com ssh internal.example.com
If you are willing to update the configuration on your client you can setup your client to use your gateway box as a proxy. Your relay box will need netcat installed, and for the best results you'll want to have key-based authentication setup.
Here is what I use in my .ssh/config to connect through another host.
Host internal-ssh-host-proxy
ProxyCommand /usr/bin/ssh username@ssh-relay-host "/bin/netcat -w 1 internal-ssh-host 22"
With the above you can simply run the command ssh internal-ssh-host-proxy from your client machine.
If the proxy SSH host is has the OpenSSH client 5.4 or above you do not need netcat, and instead you can use the built in netcat mode.
Host internal-ssh-host-proxy
ProxyCommand /usr/bin/ssh username@ssh-relay-host -W internal-ssh-host:22
You can forward connections automatically using OpenSSH. In your ~/.ssh/authorized_keys
file, you can specify a command to execute, which could be an SSH to a second machine.
[ssh client] ----> [ssh relay server] ----> [ssh target server]
you modified authorized_keys target machine
What you will end up seeing is two prompts for Password:
: one for the relay server and one for the target server. You can always remove this behaviour by using certificates.