Ssh – reverse ssh tunnel over stunnel (or just reverse back down the stunnel connection)

I'm creating a security "dropbox" that can be deployed behind nat or any firewall, call out to a controlled publicly accessible server and then initiate control from the server.

I know this is easily done with an ssh -R command, however, I'm looking for something that effectively evades IDS/IPS over proper SSL/TLS and port 443.

Currently my setup that is working (SSL only) has my dropbox (we'll call this the client) calling out and initiating a stunnel connection with the server. I can then ssh manually from the client to the server.

This is fine and great, however, I need to be able to ssh from the server down to the client via the established stunnel.

Questions:

Can I just ssh directly from the server over the existing stunnel connection (stunnel initiated by the client). This may require a stunnel config change, I'm just a little lost on what I should change.
Can I reverse SSH tunnel from the client over stunnel to the server so the server then has a local port to ssh back down to the client? If so, I have not been able to get the ssh -R command to work properly as I think I end up creating a loop.

Below are my stunnel configs:

Server:

cert=/path/to/cert.pem
pid=/tmp/stunnel.pid
[ssh]
accept = 443
connect = 127.0.0.1:22

Client:

cert=/path/to/cert.pem
pid=/tmp/stunnel.pid
client=yes
[ssh]
accept=2200
connect=<serverpubip>:443

Example SSH command to attempt and reverse from client to server over the stunnel connection:

ssh -i /path/to/cert -R 2200:localhost:2200 -p 2200 admin@localhost -f -N

Remember, the requirements are that only the client can call the server to initiate the initial connection (stunnel) and the traffic must be over well-formed SSL/TLS encryption. I also need to gain shell access from the server down to the client. Thanks in advance!

Update:

It ended up being a bad ssh command. The ssh command that worked for me is:

ssh -i /path/to/cert -R 2201:localhost:22 -p 2200 admin@localhost -f -N

Best Answer

I think all that's needed to is to change -R 2200:localhost:2200 to -R 2200:localhost:22 in your ssh command.

As it stands, you're connecting port 2200 on the server back to port 2200 on the client. And yes, that creates a forwarding loop since client:2200 is tunneled back to the server.

Assuming ssh on the client is running on port 22, then -R 2200:localhost:22 will connect port 2200 on the server to ssh on the client.

In order to help make this a little clearer, I suggest picking a different port number to reverse tunnel from the server: say, -R 2201:localhost:22. That way you're not using port 2200 on both hosts, which will help to keep you from getting the two ports confused.

Best Answer

Related Solutions

Does stunnel support multiple forwardings over the same connection

SSH over stunnel with secret public (client) ssl certificate

Related Topic