> ok, so far this sounds like you have some devices out in the field
> which may be behind stateful firewalls, NAT or dynamic addresses and a
> server on a fixed address and you want to be able to connect back to
> these devices in the field.
>
> remotedevice ssh'es into externalhost and presumably keeps the connections up.
> when you want to connect to a device you get onto externalhost and ssh
> to localhost on whatever port corresponds to that device. so far so
> good.
>
Yeah so this is exactly right.
>
> the id_rsa keys and usernames are all identical?
>
Yes, everything is identical and the only way the external host can
identify a folder of data is by the port number it connects to.
>
> That patch is already in the current version of OpenSSH. If I'm
> following you then it's not going to help, though (it's about making
> decisions in sshd based on which port the connection is made on,
> however in your scenario you're actually connecting to ssh on
> externalhost, not sshd).
So taking this knowledge which I couldn't find documented in the man
pages but I found elsewhere on the Internet:
remote device /etc/ssh/sshd_config:
Port 22222
Match LocalPort 22222
Banner /etc/ssh/banner
ForceCommand /etc/ssh/script
remote device /etc/ssh/script:
#!/bin/sh
PORT="${SSH_CONNECTION##* }"
DIR="/home/remoteuser/$PORT"
mkdir -p "$DIR"
cd "$DIR"
[ -z "$SSH_ORIGINAL_COMMAND" ] && exec bash --login
exec $SSH_ORIGINAL_COMMAND
remote device-- tunnel:
/usr/bin/ssh -i /home/remoteuser/.ssh/id_rsa_for_external_host -Nxn2TR
52000:127.0.0.1:22222 testuser at externalhost
command for externalhost admin/bot
ssh -i id_rsa_for_remote_device -p 52000 remoteuser at localhost
scp -i id_rsa_for_remote_device -P 52000 remoteuser at localhost:testfile .
Now I have the incoming ssh from the external hosts being
transparently placed into the right directory. This is exactly what I
need. Is there a better way to do what I want or should I just stick
with what works?
Thanks
