Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Arnoud "Galactus" Engelfriet
October 30, 2005, 4:50 pm
rate this thread
to 'middle1'. On 'middle1', I can connect to 'middle2' and from
'middle2' I can read my destination machine, 'dest'. I would like to
establish a secure connection between 'local' and 'dest' such that
there is no unencrypted traffic anywhere in between. Is this possible
by chaining tunnels?
This is what I tried to use:
local$ ssh -L 2222:middle2:22 middle1
local$ ssh -L 4444:dest:22 localhost -p 2222
local$ ssh localhost -p 4444
This first sets up a secure connection between local:2222 and
middle1, with a port forwarding to middle2's ssh port. Next, the
ssh connection attempt to localhost:2222 is forwarded to middle2:22
so that I can log into there. A new tunnel is now created that
connects localhost:4444 to dest:22.
Finally, I connect to localhost:4444 and am connected to dest at port 22.
As far as dest can tell, I am connecting from middle2 because
that is where the tunnel comes from.
It does seem rather overkill, since there are now three levels
of encryption between local and middle1. Is there a better way?
Arnoud Engelfriet, Dutch & European patent attorney - Speaking only for myself
Patents, copyright and IPR explained for techies: http://www.iusmentis.com /
Re: Chaining SSH tunnels?
I prefer "stacking" connections rather than chaining them. If you have
netcat or similar on the middle machines, then in the client's
~/.ssh/config you put something like this:
ProxyCommand ssh middle1 nc %h %p
ProxyCommand ssh middle2 nc %h %p
This still multiple-encrypts, but the connection is secured end to end
and you don't have to manage listening port numbers The pros and cons
of both approaches have been discussed here several times before, check
the group archives.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » ssh authorized_key working for user, but not for root
- — Previous thread in » Secure Shell Forum
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum