Doing dirty, dirty things with SSH

The TASK:
Allow SSH from ServerA on one network to directly connect with ServerB on a separate network.

The CAVEAT:
Both networks are isolated behind separate ‘jump’ servers (edge servers with only SSH enabled). No port forwarding, no routing, just a jump server.

The SOLUTION:
For those familiar with some of the more advanced (read: gross) features of SSH, tunnelling is not a difficult concept. Nevertheless, I think this is worth sharing:

Step one – tunnel to ServerA through JumpA:

ssh -L [localhost:]2202:ServerA:22 JumpA

Step two – connect through the first tunnel, and create a reverse tunnel to an unused port on the connecting workstation (I used 20052 in this example):

ssh -R 20052:localhost:20052 -p 2202 localhost

Step three – tunnel the port used in step two to ServerB port 22 through JumpB:

ssh -L 20052:ServerB:22 JumpB

There you have it. ServerA is now capable of SSHing into ServerB like this:

ssh -p 20052 localhost

The trick here is that we’re receiving from one inbound tunnel on port 20052, and forwarding that same port through another outbound tunnel. It’s gross, and unlikely to ever come in handy in a sane environment, but there it is. Food for thought.

Leave a Reply

Your email address will not be published. Required fields are marked *