Multi hop ssh connections with Putty

Kent Fredric kentfredric at gmail.com
Fri Jun 20 21:27:06 BST 2008 

I'm not excessively familiar with putty, ( ok, I used it for a year,
but I don't have it handy, and I don't memorize how windows apps work
) but I know ssh rather well, and they appear to have the same syntax.

Using http://the.earth.li/~sgtatham/putty/0.60/puttydoc.txt and
http://security.web.cern.ch/security/ssh/Encrypting_Connections/putty-tunnel-1.png
as a guide,

The most common problem I have with SSH is I confuse "Local" and
"Remote" terminologies.

in "Local" mode, once the forward is established, querys to  "Source"
on Localhost (near side) will be forwarded to the destination.(far
side)
in "Remote" mode, "source" on the remote host ( far side)  is
forwarded to "destination" ( near side )

>From what I've read you have this

A: Your computer
B: Intermediary
C: Final Host.  ( IP relative to B's view of the network )

Ill assume that  B:D   is a viable port on B running an SSH server,
C:E  is a port on C running an SSH server,
and C:F is a port on C running an HTTP server.

And you want to be able to tunnel stuff on C to A.

plink B -l someUser -P D -L X:C:E

( ie  plink foobar.com -l someUser -P 6969 -L 10010:192.168.1.10:22 )

this makes the ssh server on C appear on A at port X, so that logging into
A:X ( a local port on local host )  with putty will give you host C  (
ie: ssh 127.0.0.1:10010 will work )

plink B -l someUser -P D -L X:C:F

( ie  plink foobar.com -l someUser -P 6969 -L 8080:192.168.1.10:80 )

Will make http port on C appear at X on A.

The Visual Representation of this ( at least to my recollection ) is
using the "Local" page on portforwarding in putty ( as in image ) and
set the pairs
   SOURCE = X    (  10010 )
   DESTINATION = C:E ( 192.168.1.10:22 )
AND
   SOURCE = X    (  8080 )
   DESTINATION = C:F ( 192.168.1.10:80 )
respectively.

Side note, there a handy trick you can use with this if you have a box
you need to forward arbitrary ports on but it only can perform
outgoing connections, and is completely firewalled from inbound
tunnels.

Have the remote box do this:

  ssh -R 12345:127.0.0.1:22  youruser at yourHost

This will make their box's ssh server appear on your computer at port
12345, permitting you to use

 ssh remoteuser at yourHost -P 12345

or

 ssh -L 8080:127.0.0.1:80 remoteuser at yourHost -P 12345

to set up port forwards as you please.

Hope that helps :)



Kent
ruby -e '[1, 2, 4, 7, 0, 9, 5, 8, 3, 10, 11, 6, 12, 13].each{|x|
print "enNOSPicAMreil kdrtf at gma.com"[(2*x)..(2*x+1)]}'

More information about the london.pm mailing list