1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Tunnel from Remote Host to ProxyJump Host

    From Rhongomiant@21:1/5 to All on Sun Apr 23 13:00:23 2023
    Is there a way to create a tunnel from a remote host to a ProxyJump host?

    There are times when I need to connect to a remote host through one or more hosts and create a reverse dynamic tunnel. However, I don't want the reverse tunnel to come back to my system, but to one of the ProxyJump host.

    I have a solution provided that the last ProxyJump host is where the reverse dynamic tunnel needs to terminate.

    ssh -tt <Host A> ssh -tt -R12345 <Host B>

    However, in the case where there are hosts A, B, C, and D and the reverse dynamic tunnel needs to terminate on host B, the following will work if host B supports ProxyJump.

    ssh -tt <Host A> ssh -tt <Host B> ssh -J <Host C> -R12345 <Host D>

    However, many of the systems we work on don't have a new enough ssh version for ProxyJump. I know ProxyJump was added in OpenSSH 7.3/7.3p1 (2016-08-01) and reverse dynamic forwarding was added in OpenSSH 7.6/7.6p1 (2017-10-03), so if it supports reverse
    dynamic forwarding then it supports ProxyJump, but anything we're connecting to supports reverse forwarding which was added in OpenSSH 2.5.1p1 (2001-02-19) and useful in many cases.

    I'm wondering is there is a lesser known/obvious feature that lets us specify a tunnel with the host it should originate from.

    I know ProxyJump uses the -W option and maybe that doesn't provide support for tunneling or tunneling beyond the next hop?

    Thanks for any help.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From James H. Markowitz@21:1/5 to Rhongomiant on Wed Apr 26 14:38:20 2023
    On Sun, 23 Apr 2023 13:00:23 -0700 (PDT), Rhongomiant wrote:

    Is there a way to create a tunnel from a remote host to a ProxyJump
    host?

    There are times when I need to connect to a remote host through one or
    more hosts and create a reverse dynamic tunnel. However, I don't want
    the reverse tunnel to come back to my system, but to one of the
    ProxyJump host.

    I have a solution provided that the last ProxyJump host is where the
    reverse dynamic tunnel needs to terminate.

    ssh -tt <Host A> ssh -tt -R12345 <Host B>

    However, in the case where there are hosts A, B, C, and D and the
    reverse dynamic tunnel needs to terminate on host B, the following will
    work if host B supports ProxyJump.

    ssh -tt <Host A> ssh -tt <Host B> ssh -J <Host C> -R12345 <Host D>

    However, many of the systems we work on don't have a new enough ssh
    version for ProxyJump. I know ProxyJump was added in OpenSSH 7.3/7.3p1 (2016-08-01) and reverse dynamic forwarding was added in OpenSSH
    7.6/7.6p1 (2017-10-03), so if it supports reverse dynamic forwarding
    then it supports ProxyJump, but anything we're connecting to supports
    reverse forwarding which was added in OpenSSH 2.5.1p1 (2001-02-19) and
    useful in many cases.

    I'm wondering is there is a lesser known/obvious feature that lets us
    specify a tunnel with the host it should originate from.

    I know ProxyJump uses the -W option and maybe that doesn't provide
    support for tunneling or tunneling beyond the next hop?

    Thanks for any help.

    What follows may not address exactly what you want, but it may
    help:

    Setup:

    Machine M1 is in the Internet.

    Machine M2 is in the Internet.

    M1 can get into M2 via SSH.

    M2 can access M3 via SSH.

    M3 is not directly accessible from M1.

    M3 is listening for incoming SSH connections at port (say) 713.

    In order to SSH into M3 from M1 we do the following on M1:

    ssh -fngT -L 3022:M3:713 -C M2 ping -i 30 localhost > /dev/null 2>&1

    ssh -p 3022 localhost

    If in M1 we add to .ssh/config the entry

    Host M3
    HostName localhost
    HostKeyAlias M3
    User Username on M3
    Port 3022

    then we can get from M1 to M3 by means of

    ssh M3

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)