Tuesday, October 14, 2008

Fun with SSH Remote Port Forwarding

Prologue: Our Institute has several nice Dual Core Machines deployed for the students. Unfortunately the machines are behind a NAT with no port forwarded for external SSH access. Student's hostel is a bit far off from the computational centre. As such if someone felt the need of accessing the machines during non-office hours, it was a wee bit difficult. The sysadmin would not have agreed to forward any ports. Something had to be done....

SSH has a very useful feature - Remote and Local Port Forwarding. We have an old rickety PIII running Ubuntu 8.04.1 in the Hostel, it is connected to the net and is accessible via SSH from the internet. Using a tiny little shell script running on one of the machines in the Institute, I managed to make the old PIII an intermediate gateway for gaining SSH access to the Institute's machines from anywhere in the internet. The script is of few lines, but nevertheless powerful enough to serve our purpose.

while [ 1 ]; do
ssh -C -o ServerAliveInterval=30 -R 4321:localhost:22 serververhostname
echo Retrying

Let us analyse what this code does.
First of all serververhostname is the hostname of the PIII server. For example if www.example.com resolves to the public ip of the PIII server, then www.example.com would have been used instead of serververhostname.
The -C option requests compression of all data, to improve data transfer speed over slow connections.
The -o ServerAliveInterval=30 makes the SSH client send a keepalive packet at the application layer every 30s, this is to prevent a timeout, in case the connection is idle.
-R 4321:localhost:22 is the most important part. There is a SSH server running in the Institute's workstation, listening on port 22. "-R 4321:localhost:22" specifies that port 22 of localhost, i.e. of the institute's workstation is to be forwarded to port 4321 of the PIII, such that whenever a connection is made to the PIII on port 4321, the connection gets forwarded over the secure channel to port 22 of the Institute's Workstation.
The while loop ensures that the connection gets re-established if it breaks. You need to use a passphraseless RSA or DSA key for authentication instead of a password, otherwise the ssh client will wait for a password input.
Now suppose in the midst of the night I feel an urge to log in to the machine in my college, but I am (say even a few hundred or thousand miles :D) away from the computational centre, all I need to do is log in to the PIII server in the hostel using ssh from anywhere in the internet. Once I am in there, I issue the command: "ssh -l username localhost -p 4321". Though I am ssh-ing into port 4321 of localhost, effectively the connection is made to port 22 of the Institute's workstation, thanks to the previous ssh port forwarding. No need for persuading the sysadmin to make changes to the NAT or Institute's firewall.


cosmos delight said...

woh sab thik hai hum kaise access kar sakte?

sambit said...

Have to join our LAN... :)