[rescue] how to use a NAT/PAT to forward SSH to an internal box

George Adkins rescue at sunhelp.org
Sat Jan 5 16:06:54 CST 2002 

> > the intent of the thread was to discuss ways to make this possible
> > without redirecting a real-world IP or using nonstandard ports.  (I
> > wouldn't have brought it up if it were already in use...)
>
> You can't.  It's fundamentally impossible.
>
> One way or another you have to tell SSH where to connect (IP#/port#).
> It defaults to using port#22 at the hostname given on the command-line
> and uses a client specific mechanism to determine what IP# corresponds
> to that hostname.
>
_SIGH_

The discussion at hand is on overcoming that limitation by other means, 
either by using some external program or script to pass information to/from 
the gateway so that appropriate forwarding can be established, or modifying 
the existing system to offer features already present in other software which 
might allow the desired effects.

Please, read the preceding messages in the thread.

Then, perhaps you can offer some constructive input into the discussion.
If you cannot / will not look at what's already been discussed, or have 
nothing better to offer than "you can't" then please excuse yourself from the 
conversation.

George


P.S.  Messages like this one...

On Wednesday 02 January 2002 09:42 pm, you wrote:
> > What you're discussing would really require changes to the
> > current SSH protocol(s), and IMHO is unlikely to ever happen.
>
> heh, OSI layer 9 and 10, eh? (political and religious layers)
>
> > If you tried to add virtual hosts to SSH, you would similarly
> > need to pass the "who am I looking for" info *before* the
> > SSHd could decide which host key to present as its credentials,
> > and therefore before the crypto session was fully initialized.
> > Sort of a chicken-and-egg problem.
>
> a better approach might be to have the gateway software simply process the
> "who are you looking for" part, and redirect the ssh connection to the
> right target as it comes through.
>
> Maybe something like:
> client connects to the gateway server
> client passes destination hostname to the server
> server returns port number and establishes forwarding map
> client calls ssh to connect to the gateway on specified port
> gateway forwards connection to destination host on port 22
> destination host responds and connection is established

.

More information about the rescue mailing list