Ssh – Multiple hops tunnels howto

sshssh-tunnel

I wonder if anyone is able to help me with multiple tunnel hops for servers…

basically my setup looks something like this…

[desktop01]=====[server01]=====[server02]---------[machine01]
                                         \--------[machine02]
                                          \-------[machine03]
                                           \------[machine04]

I want to setup some ssh tunnels so that from my desktop I can ssh directly to machine01 through 04 without having to ssh to each box in between in turn…

So desktop01 can only see server01, server02 can only accept connections from server01 and machines 01 to 04 only accept connections from server02.

Can anyone help as im really stuck with this.

Thank you in advance 🙂

Best Answer

The following configuration in ~/.ssh/config allows you to dynamically setup jump hosts by separating them with the % symbol:

Host *%*
    ProxyCommand ssh $(echo %h | cut -d%% -f2-) nc $(echo %h | cut -d%% -f1) %p

You could then run ssh machine01%server02%server01 and it would connect to machine01 via server01 and server02. (This doesn't work so well when you need to specify non-default usernames unfortunately.)

Related Solutions

Ssh – Alternatives to SSH for tunnelling connections

I've used both stunnel, and the putty family of tools (plink, putty), and I've only rarely found performance issues. I would imagine your slowness comes from poor network connection, or performance issues on either end of the pipe.

Ssh – autossh not working for two or more tunnels – or is there an alternative

From the autossh documentation:

autossh uses ssh to construct a loop of ssh forwardings (one from local to remote, one from remote to local), and then sends test data that it expects to get back.

-M port[:echo_port] specifies the base monitoring port to use. Without the echo port, this port and the port immediately above it ( port + 1) should be something nothing else is using. autossh will send test data on the base monitoring port, and receive it back on the port above. For example, if you specify "-M 20000", autossh will set up forwards so that it can send data on port 20000 and receive it back on 20001.

if you are using -M 20000 twice, this must fail. Use different ports for that (with one port space between them, so -M 20000 and -M 20002 would work). I recommend doing a "man autossh" and read the documentation of autossh, its also available online: http://www.manpagez.com/man/1/autossh/ . If you are using a lot of autossh tunnels, you may setup a dedicated echo service (From autossh documentation again):

Alternatively, a port for a remote echo service may be specified. This should be port 7 if you wish to use the standard inetd echo service. When an echo port is specified, only the specified monitor port is used, and it carries the monitor message in both directions. This allows the autossh to verify the connection without blocking ports for each tunnel on the remote side.

If you want to use xinetd for that, here is my echo service decleration:

service echo
{
        flags                   = REUSE
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/bin/cat
        log_on_failure          += USERID
        only_from               = 127.0.0.1
        disable                 = no
}

then you can use -M 20000:7 on all tunnels from different machines. if you have multiple tunnelns on one machine, use multiple -L or -R options or use a different port like -M 20002:7

Best Answer

Related Solutions

Ssh – Alternatives to SSH for tunnelling connections

Ssh – autossh not working for two or more tunnels – or is there an alternative

Related Topic