Ubuntu – ssh without opening the ports

ssh

I usually provide solutions for my friends for fixing issues on their ubuntu machines. Most of them use shared internet connection over LAN where they cannot open ports for allowing me access their machines over ssh. Is it possible to ssh into a machine without opening ports. For example services like Teamviewer allow users to just accept a connection request from outside, and if the owner of the machine permits, then the machine can be used by authenticated users. So, similarly, if the owner of the machine permits, with some kind of authentication, one should be able to get ssh access to a machine without opening the ports on the NAT router.

Best Answer

You can do this over Empathy's backend (telepathy) through another application called ssh-contact.

I haven't used it personally, but it seems to me like a good way of getting two novices to SSH into each other.

Of course another method would be to have them SSH to you (I assume you're competent enough to manage your port forwarding) and forward a port back to a ssh server on their machine.

Get them to run:

ssh -R 48724:localhost:22 your_username@your_ip

You obviously might not want them logging in as your user so you could create another user and have that just for SSHing. There obviously has to be a modicum of trust between you and the other user.

And then you run:

ssh -p 48724 their_username@localhost

I'm using a high port so root privileges aren't required.

Of course, they'll need openssh-server installed for you to connect but that's a simple sudo apt-get install openssh-server

Related Solutions

Ubuntu – How to help someone (like granny) over SSH who is behind a NAT router

If your own computer can accept SSH connections, there is a way to use the technique that Pavlos G. linked to without an extra computer.

You first need an underprivileged* user that your friend will connect as:

sudo adduser reverse --shell /bin/false

Tell your friend to start the tunnel:

ssh -N -R 62222:localhost:22 reverse@lekensteyns-server

Then, on your own computer (lekensteyns-server), start the reverse connection:

ssh -p 62222 localhost

* I don't know enough about security to be able to advise on creating a suitably underprivileged user. That's probably something that should be covered in a separate question.

Ubuntu – How to expose multiple remote server ports via sshuttle

On the remote server define a secondary IP address, for example 10.0.0.1, that points to itself. (The same way 127.0.0.1 does.)

On your local machine, create your sshuttle connection as follows:

sshuttle -r user@remote 10.0.0.1
# "user" is your username on the remote machine
# "remote" is the name or IP address of the remote machine

You can now access the remote server at the 10.0.0.1 address. Because it understands connections from 10.0.0.1 to be "itself", all the ports are accessible at that address. (They stop being accessible as soon as you close the sshuttle connection.)

You can confirm this with the following commands:

nmap remote # returns only ssh port
nmap 10.0.0.1 # returns all ports

You can now connect to your database with the address 10.0.0.1:3306. For example, if it's a MySQL database you can connect to it uing MySQL Workbench.

If this approach suits you, you may want to investigate using sshoot to manage your sshuttle connections.

Best Answer

Related Solutions

Ubuntu – How to help someone (like granny) over SSH who is behind a NAT router

Ubuntu – How to expose multiple remote server ports via sshuttle

Related Question