Ssh – Reverse ssh tunnel in config

configurationsshssh-tunneling

How can I establish a reverse ssh tunnel with my ./ssh/config file?

I'm trying to reproduce this command

ssh -R 55555:localhost:22 user@host

in my .ssh/config file so that when I type ssh host I'll ssh to the host as user and with a reverse tunnel. The commands accepted by the config file are more verbose counterparts to the command line flags. Based on the ssh manpage and the manpage for ssh_config, it seems like the corresponding setting is BindAddress.

In my .ssh/config file I have:

Host host
     Hostname host
     User user
     BindAddress 55555:localhost:22

This, and slight variations of, result in a connection refused when I try

ssh localhost -p 55555

once logged in on the host. The same works fine if I explicitly give the command at the top when first sshing to the host. My config file does work without the reverse tunnel command; ssh host logs me into host as user.

Best Answer

BindAddress is not the option you're after. From man ssh_config:

BindAddress
         Use the specified address on the local machine as the source
         address of the connection.  Only useful on systems with more than
         one address.

The configuration file equivalent of -R is RemoteForward:

RemoteForward
         Specifies that a TCP port on the remote machine be forwarded over
         the secure channel to the specified host and port from the local
         machine.  The first argument must be [bind_address:]port and the
         second argument must be host:hostport. [...]

With this information the command line

ssh -R 55555:localhost:22 user@host

translates into the following .ssh/config syntax:

Host host
HostName host
User user
RemoteForward 55555 localhost:22

Related Solutions

Ssh – Remote SSH Tunnel not working with certificates

The -v option will gives you more information on the client side.

plink.exe -v -R *:62050:127.0.0.1:9000 user@host -i ./np.ppk
Looking up host "host"
Connecting to 135.x.x.x port 22
Server version: SSH-2.0-OpenSSH_5.1
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
...
Opened main channel
Requesting remote port *:62050 forward to 127.0.0.1:9000
Remote port forwarding from *:62050 enabled              <---<<<
Allocated pty (ospeed 38400bps, ispeed 38400bps)
Started a shell/command
...

If you didn't manage to find the answer with plink verbose mode. Open sshd in debug mode on another port (or ask the root administrator to do that).
No need to stop the regular sshd deamon.

# /usr/sbin/sshd -dd -p  2222
debug2: load_server_config: filename /opt/ssh/etc/sshd_config
debug2: load_server_config: done config len = 514
debug2: parse_server_config: config /opt/ssh/etc/sshd_config len 514
debug1: Config token is port
debug1: Config token is protocol
debug1: Config token is hostkey
debug1: Config token is hostkey
....

Then connect to that sshd instance with plink option -P

plink.exe -v -P 2222 -R *:62050:127.0.0.1:9000 user@host -i ./np.ppk

You will have the debug information of both end.

EDIT

The solution is in man sshd at the "AUTHORIZED_KEYS FILE FORMAT" chapter.

It is likely that the no-port-forwarding option has been associated to your key but that no global option has been set.

 no-port-forwarding
         Forbids TCP forwarding when this key is used for authentication.  Any port forward requests by the client will return
         an error.  This might be used, e.g. in connection with the command option.

You should have access to your home ~/.ssh/authorized_keys , edit the file and remove that option.

Sometimes the authorized_keys are centralized in a protected directory in that case you will not be able to change it.

Ssh – .ssh/config ProxyCommand with a variable port

It is not possible to write a script in the configuration file to pull a variable for port number.

But you can write a bash function to get the port for you and place it into the correct place. For example place the following to the ~/.bashrc:

function ssh-dynamic() {
  PORT=`sh get_port_for_somehost.sh`
  exec ssh -p "$PORT" somehost "$@"
}

where the other configuration may stay in the ~/.ssh/config.

Best Answer

Related Solutions

Ssh – Remote SSH Tunnel not working with certificates

EDIT

Ssh – .ssh/config ProxyCommand with a variable port

Related Question