[rescue] how to use a NAT/PAT to forward SSH to an internal box
Patrick Giagnocavo
rescue at sunhelp.org
Sat Jan 5 01:30:14 CST 2002
On Sat, Jan 05, 2002 at 02:09:38AM -0500, George Adkins wrote:
> > > Subject: Re: [rescue] an idea...
> > > > Something similar could be accomplished by just fowarding various ports
> > > > on a NAT box to port 22 on the correct box. That's what I do.
> > >
> > > okay, so... how do I ssh to one of these boxes from the outside using
> > > only a hostname?
> >
> > If you want to SSH to the firewall, and also to some internal box at the
> > same time, using just a hostname, then you'll need two IP addresses on
> > the firewall's external interface.
>
> Yes, I already know how to do these things, but that's not what this
> discussion is about.
>
> The intent here is to provide a _transparent_ method to access hosts on a
> remote RFC1918 network via SSH by hostname alone, without using additional
> live IP's or non-standard ports.
>
> I want any user anywhere to be able to type:
> rubicon# ssh user at ballocks.webbastard.org
> and get through to a machine with an IP address of 172.31.110.24
The simple answer is that SSH does not support this and it is not part
of the protocol.
However, what I was thinking about was a way to proxy the SSH
connection...maybe you could use the Perl interface to SSH to get the
information you need, then either proxy it, or silently redirect the
connection to the internal machine?
Look at Net::SSH::Perl by Benjamin Trott - that module has a
ChannelMgr that lets you do stuff with ssh channels.
eg:
Net::SSH::Perl::AuthMgr manages authentication methods and auth
context for the SSH-2 authentication process. At its heart is a
dispatch mechanism that waits for incoming packets and responds as
necessary, based on a handler table that maps packet types to code
references.
Net::SSH::Perl::Packet implements the packet-layer piece of the SSH
protocol. Messages between server and client are sent as binary data
packets, which are encrypted (once the two sides have agreed on the
encryption cipher, that is).
Packets are made up primarily of a packet type, which describes the
type of message and data contained therein, and the data itself. In
addition, each packet: indicates its length in a 32-bit unsigned
integer; contains padding to pad the length of the packet to a
multiple of 8 bytes; and is verified by a 32-bit crc checksum.
... etc.
I am not sure, but believe that if you DO use a hostname, that SSH
does keep the hostname around somewhere - a look at your sshkeys in
your home directory will show a difference between the key for "ssh
192.168.0.76" vs. "ssh blockedip.webbastard.org" even if the latter
has the ip address of the former.
./patrick
More information about the rescue
mailing list