Why can I not connect to a reverse SSH tunnel port remotely, even with GatewayPorts enabled

portsshtunnel

I require constant SSH access to a host in our department, whose IP address is dynamically allocated. I've set up a remote SSH tunnel from the target host to one of our hosts that does posess a static ip address:

ssh -f -N -g -R :22223:localhost:22 tunnelhost

When I point SSH at local port 22223 on the tunnel host, the tunnel works fine. My problem is that I cannot seem to get the tunnel bound to anything other than localhost, though – i.e. when I try to SSH remotely to tunnelhost:12323, there is no open port to receive it. I've also tried:

ssh -f -N -R :22223:localhost:22 tunnelhost -o GatewayPorts=yes

But still no luck. Netstat shows me:

[me@tunnel_host ~]$ netstat -an | grep 22223
tcp        0      0 127.0.0.1:22223         0.0.0.0:*               LISTEN
tcp6       0      0 ::1:22223               :::*                    LISTEN

Confirming that the tunnel is only bound to localhost. I've added a port exception on the tunnel host, with firewalld-cmd, and ensured no network hardware is interfering with the connection. Any ideas as to what it could be?

Cheers, James.

Best Answer

You need to enable GatewayPorts=yes in the config for SSHd (/etc/ssh/sshd_config), not the client in order to enable binding to interfaces other than loopback on remote ports.

-o GatewayPorts=yes

Only works for local ports when passed to the ssh command.

Related Solutions

How to determine the port allocated on the server for a dynamically bound openssh reverse tunnel

If you set the 'LogLevel' in the sshd_config configuration file to DEBUG1 (or any DEBUG level), then sshd will log the port numbers in /var/log/auth.log.

Do remember, that using a LogLevel of DEBUG or higher could be a privacy risk, since much is logged.

(from /var/log/auth.log, removed a few lines to show relevant information)

Jun 24 06:18:24 radon sshd[9334]: Connection from 192.168.13.10 port 39193
Jun 24 06:18:24 radon sshd[9334]: Accepted publickey for lornix from 192.168.13.10 port 39193 ssh2
Jun 24 06:18:24 radon sshd[9334]: pam_unix(sshd:session): session opened for user lornix by (uid=0)
Jun 24 06:18:24 radon sshd[9334]: User child is on pid 9339
Jun 24 06:18:24 radon sshd[9339]: debug1: Local forwarding listening on 0.0.0.0 port 0.
Jun 24 06:18:24 radon sshd[9339]: debug1: Allocated listen port 39813
Jun 24 06:18:24 radon sshd[9339]: debug1: channel 0: new [port listener]
Jun 24 06:18:24 radon sshd[9339]: debug1: Local forwarding listening on :: port 39813.
Jun 24 06:18:24 radon sshd[9339]: debug1: channel 1: new [port listener]
Jun 24 06:18:27 radon sshd[9339]: Received disconnect from 192.168.13.10: 11: disconnected by user

If you follow it through, you can see where you could parse the connection information, and then the forwarded port (39813 in this case)

I used this command line between two of my machines, I do have ssh-key login set up, so no password prompts or delays

-xenon- lornix:~> ssh -R "*:0:radon:22" -N -T radon
Allocated port 39813 for remote forward to radon:22

-N specifies no command is given, and -T stops allocation of a tty for this connection.

Another way to disseminate the port connection information would be to parse it from the client side and send an email, jabber, text msg, smoke signals or pigeon to carry the port # to whomever needs it.

Related Question