Shell – How to ssh forwarding with AllowTcpForwarding set to no

linuxpythonshellsshssh-tunneling

There is some development I need to do on some remote box. Fortunately, I have shell access, but I need to go through a gateway that has AllowTcpForwarding set to false.

I took a peak at the docs and it says:

AllowTcpForwarding Specifies whether TCP forwarding is permitted. The
default is ''yes''. Note that disabling TCP forwarding does not
improve security unless users are also denied shell access, as they
can always install their own forwarders.

How would I go about installing (or building) my own forwarder? My goal here is to setup a remote interpreter using Pycharm via SSH and binding it to some local port, that data fed through ssh, that through the gateway, and then to the development box where the code is actually run. I imagine I could somehow utilize nc or some other unix utility that'll help get the job done.

I know I can ssh to my remote box by doing:

ssh -t user1@gateway ssh user2@devbox

But obviously this option isn't available in pycharm. I'll have to be able to open some local port such that

ssh -p 12345 localhost
(or variant)

will connect me to user2@devbox. This will allow me to configure the remote interpreter to use port 12345 on localhost to connect to the remote box.

Best Answer

As long as one can execute socat locally and on gateway (or even just bash and cat on gateway, see last example!) and is allowed to not use a pty to be 8bits clean, it's possible to establish a tunnel through ssh. Here are 4 examples, improving upon the previous:

Basic example working once

(having it fork would require one ssh connection per tunnel, not good). Having to escape the : for socat to accept the exec command:

term1:

$ socat tcp-listen:12345,reuseaddr exec:'ssh user1@gateway exec socat - tcp\:devbox\:22',nofork

term2:

$ ssh -p 12345 user2@localhost

term1:

user1@gateway's password:

term2:

user2@localhost's password:

Reversing first and second addresses makes the socket immediately available

socat has to stay in charge, so no nofork:

term1:

    $ socat exec:'ssh user1@gateway exec socat - tcp\:devbox\:22' tcp-listen:12345,reuseaddr
    user1@gateway's password:

term2:

    $ ssh -p 12345 user2@localhost
    user2@localhost's password:

Using a `ControlMaster` ssh

allows to fork while using only a single ssh connection to the gateway, thus giving a behaviour similar to the usual port forwarding:

term1:

    $ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
    user1@gateway's password:

term2:

    $ socat tcp-listen:12345,reuseaddr,fork exec:'ssh -o ControlPath=~/mysshcontrolsocket user1@gateway exec socat - tcp\:devbox\:22'

term3:

    $ ssh -p 12345 user2@localhost
    user2@localhost's password:

Having only `bash` and `cat` available on `gateway`

By using bash's built-in tcp redirection, and two half-duplex cat commands (for a full-duplex result) one doesn't even need a remote socat or netcat. Handling of multiple layers of nested and escaped quotes was a bit awkward and can perhaps be done better, or simplified by the use of a remote bash script. Care has to be taken to have the forked cat for output only:

term1 (no change):

$ ssh -N -o ControlMaster=yes -o ControlPath=~/mysshcontrolsocket user1@gateway
user1@gateway's password:

term2:

$ socat tcp-listen:12345,reuseaddr,fork 'exec:ssh -T -o ControlPath=~/mysshcontrolsocket user1@gateway '\''exec bash -c \'\''"exec 2>/dev/null 8<>/dev/tcp/devbox/22; cat <&8 & cat >&8"\'\'\'

term3:

$ ssh -p 12345 user2@localhost
user2@localhost's password:

Related Solutions

Ssh – Work around two-factor SSH auth with Master connection and port forwarding

Quite an interesting problem you've got.

The real solution would be to ask your sysadmin for help first.

If that's not an option, the next best thing is to have pyCharm's libssh or whatever it uses (I did some googling and couldn't figure it out) parse your `~/.ssh/config'.

If that's not possible, you might be able to run your own ssh daemon on the remote host listening on the loopback address and connect to it with a local forward.

To setup an unprivileged ssh daemon (copied from a link on the SF answer):

  $ pwd
  /home/<USER>
  $ mkdir -p etc var/run
  $ cp /etc/sshd_config etc
  $ vi etc/sshd_config
  [Set `Port 2230']
  [Set `HostKey /home/<USER>/etc/ssh_host_rsa_key']
  [Set `UsePrivilegeSeparation no']
  [Set `PidFile /home/<USER>/var/run/sshd.pid']
  [:wq!]
  $ ssh-keygen -t rsa -f /home/<USER>/etc/ssh_host_rsa_key -N ''
  Generating public/private rsa key pair.
  Your identification has been saved in /home/<USER>/etc/ssh_host_rsa_key.
  Your public key has been saved in /home/<USER>/etc/ssh_host_rsa_key.pub.
  The key fingerprint is:
  02:5d:02:5d:e8:2e:c6:b9:4c:d9:93:6c:13:ef:5d:61 hein@vmbert2k8
  $ /usr/sbin/sshd -f /home/<USER>/etc/sshd_config -D

Now forward a local port to it (you will be logging in with 2fa here):

 ssh -L 2230:localhost:2230 example_com_master

And direct pyCharm to localhost:2230. You can also setup keypair auth on your custom sshd.

Note that this is a long shot, and your sysadmin may not appreciate it.

There's a big chance that pyCharm already uses OpenSSH for its ssh implementation. If that's so, adding multiplexing support to pyCharm would be way easier than the workaround I've proposed.

Ssh – What does port forwarding mean in “SSH port forwarding”

1 - general case

Suppose you have two server in a company network.

From local server "L1" you have access to a remote server "R1" via ssh on port 22.

The server R1 host a web service, but firewall/NAT/whatever block direct access to port 80.
"R1" can't access "L1" directly due to NAT issue.

from L1 you connect using (same user on both host)

ssh -L 10080:localhost:80 -R 10022:localhost:22 R1

now,

-L 10080:localhost:80 local browsing on 10080 will be forward to distant host (R1), localhost (e.g. distant 127.0.0.1) on port 80, thus you could browse distant host (R1), while blocked by firewall/NAT.
-R 10022:localhost:22 remote use of port 10022 will be forwarded to localhost (L1) port 22, you can initiate scp/ssh from remote to localhost. (using scp -P 10022 file localhost: (note upper -P ) )

This is actually a command line I use from an Ubuntu (14.04) laptop to go to production server (I can firefox to localhost:10080 and use scp from server to localhost:10022 to bring back file )

now your IP are

192.168.1.1 L1
172.17.17.1 R1

you use

ssh -L 10080:172.17.17.3:80 -R 10022:192.168.1.5:22 \
     -L 192.168.1.9:8888:172.17.17.9:9999 R1

now

distant access to port 10022 (any IP) will be forwarded to local 192.168.1.5 ssh/scp.
local access to port 10080 (any IP) will be forwarded to distant host 172.17.17.3 port 80.
local access to port 8888 from 192.168.1.9 will be forwarded to port 9999 on 172.17.17.9 (192.168.1.9 is a local address in L1, using alias mecanism, this is not a firewall rule).

those setting can be used on putty/bitwise client

Ask Ubuntu question

what about

 -R 8000:localhost:80

this read as

-R remote
8000 port 8000 (remote port 8000 ... )
localhost (remote port 8000 goest to localhost .. )
80 ( remote port 8000 goes to localhost port 80 )

Best Answer

Basic example working once

Reversing first and second addresses makes the socket immediately available

Using a ControlMaster ssh

Having only bash and cat available on gateway

Related Solutions

Ssh – Work around two-factor SSH auth with Master connection and port forwarding

Ssh – What does port forwarding mean in “SSH port forwarding”

1 - general case

Ask Ubuntu question

Related Question

Using a `ControlMaster` ssh

Having only `bash` and `cat` available on `gateway`