Using reverse SSH to connect two clients over one server

Solution 1:

I don't think there is an easy way to do this on a mass scale. And you don't really mention the scope of these ssh connections. Terminal only? Might make things a bit easier.

Run ssh -NR 2210:localhost:22 [email protected] as someuser on the machine behind the firewall. I'm assuming 2210 is available on the intermediary machine; if it's not, pick another port. Each machine you want to access behind the firewall will need its own port.

Your Internet user connecting to the intermediary needs ssh access on the intermediary. To get behind the firewall just do ssh -t [email protected] "ssh someuser@localhost -p 2210" to get terminal access. You'll need to do the same thing on a different port for every server.

You can daemonize that first part so it happens on boot. I don't know the best way to, say, make it easy to manage two sets of logins, passwords, etc.. You can create passwordless logins based on ssh keys, but that will take time to set up and will need to be done for every user.

If terminal only works for you...

I created a little perl script to act as a login shell wrapper for a user called sshcatcher. I saved it to /usr/local/remote.pl:

#!/bin/perl

print "Please enter your username to access the firewalled server: ";
$user = <>;

chomp($user);

system("ssh", "$user\@localhost -p 2210");

With something like that, maybe you can chance allowing an account with an empty password on the intermediary to automate the process a little.

The vipw entry looks like: sshcatcher:x:2000:2000::/home/sshcatcher:/usr/local/remote.pl