Re: SSH tunnel for ssh traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Apr 16, 2010 at 7:24 AM, Matt Domsch <Matt_Domsch@xxxxxxxx> wrote:
> On Thu, Apr 15, 2010 at 04:12:20PM +0200, Christoph H?ger wrote:
>> Hi,
>>
>> I need to ssh to some remote VM that sit in a private LAN. For any other
>> service (e.g. RDP) I'd use ssh tunneling just normal.
>> But what do I do for ssh traffic? Since ssh is not host agnostic, it
>> will always complain about localhost having a different RSA key.
>> I just do not want to edit the known_hosts every time I need to connecto
>> to a new machine!
>>
>> Is there some way to tell ssh to use a tunnel directly for a
>> connection?
>
> you want to use ProxyCommand lines in .ssh/config, rather than local
> redirects.
>
>
>
> Host deeper-inside
>     HostName 192.168.1.2
>     ProxyCommand ssh inside nc %h %p
>
> Host inside
>     HostName 192.168.0.2
>     ProxyCommand ssh outside nc %h %p
>
>
> where outside is the public host name/IP, inside is one level inside
> your private network, directly reachable by host outside, and
> deeper-inside is 2 levels deep, directly reachable by host inside.
>
>
> $ ssh deeper-inside
>

One thing that is worth bearing in mind that has caught me out before
is to be aware that you can have everything set up perfectly but the
connections can simply not work!  The reason "could" be that on one of
the machines there is a firewall port forwarding restriction - for
example when I connect to work I have to make an initial connection to
a specific "ssh" gateway to get through the company firewall, that has
been set up so that forwarding can only be done to port 22 and 80 on
machine inside the firewall - all other port forwards are not allowed
- this made for some interesting time wastage until I realised that in
this case any fancy port forwarding was doomed to failure....  may not
be the case for your systems but in my case it meant having to rework
the way I wanted to make connections.

Just another factor that you may not think about when doing
sophisticated networking!

-- 
mike c
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux