Home / server / Questions / 898173
Accepted
blueFast
Asked: 2018-02-22 02:23:14 +0800 CST

How to ssh to a server which I can not directly reach?

  • 772

Context

I am running Ubuntu Desktop as my primary machine, which I will call D. I want to connect to server S via ssh, but the firewall is blocking me.

I have access to server S, via a very cumbersome path, involving a Windows virtual machine and PuTTY. This makes working with this server extremely annoying: completely different environment, copy/paste does not work, I can not properly use my desktop while being connected to it (Alt-Tab is broken by the Virtual Machine) etc

I have verified that I can ssh from server S to my desktop machine D (the opposite from what I need).

Could I somehow initiate "port forwarding" or similar from the server, so that I can ssh to the server from my desktop?

ssh

3 Answers

  1. Best Answer

    You can use the following command to set up an SSH tunnel from the remote server to your local machine:

    $ ssh -f -N -R 1234:localhost:22 user@your_machine_ip

    When the tunnel is set up, you can simply ssh to your remote server using the following command:

    $ ssh -p 1234 user@localhost

    Please note that you need to set up ssh keys for automatic login (no password prompt). If you want to create the SSH tunnel interactively, you can remove the options -f -N. For more info, man ssh.

    • 32

  2. If you are running a newer version of OpenSSH (7.3+) then you can use ProxyJump which bakes everything together magically:

    ssh -J windows_machine remote_server

    Which in your ~/.ssh/config looks like:

    Host remote_server
        HostName remote_server
        ProxyJump windows_machine
        User myname

    ProxyJump supports full SSH syntax, so if you are jim on windows_server and it uses port 2222 for ssh. remote_server is at IP 192.168.0.110 from the windows_server then you can write:

    Host remote_server
        HostName 192.168.0.110
        ProxyJump jim@windows_machine:2222
        User myname

    And still just run ssh remote_server to get there.

    If you are running an older version of SSH, use ProxyCommand - this allows you to tell SSH to first run a command to establish a proxy connection, before running the actual SSH command.

    ssh -o ProxyCommand='ssh -W %h:%p windows_machine' remote_server

    This uses the SSH -W option, which is shorthand for the more arcane netcat syntax.

    Note that, as when you run ssh remote_server you are now on the windows_machine you need to ensure that you use the IP of the remove_server from the jump box rather than the IP from your machine - these may well be the same.

    You can then add this directive to your ~/.ssh/config file:

    Host remote_server
  HostName remote_server
  User myname
  ProxyCommand ssh -W %h:%p windows_machine

    This means that if remote_server is a different machine as seen from windows_machine then you can put that in the config and still just use ssh remote_server.

    • 5

  3. Rather than trying to circumvent things and create a convoluted path, can't you just ask for SSH from your desktop to the server to be allowed? If you have the need for it and you should be accessing the server I can't see why you would have the request refused.

    • 1