Subject: Re: ssh tunneling

Re: ssh tunneling

From: Peter Stuge <peter_at_stuge.se>
Date: Wed, 10 Feb 2010 05:29:46 +0100

Hi A,

A. Mark wrote:
> > How do you want to access the internal host?
>
> I'd like to be able establish an ssh session to a private host
> (hostPrivate) on a network where one of the hosts (hostPublic) has
> an external IP to the internet

Ok, that's what I guessed, and what I wrote suggestions for.

> > For an example of how to use a direct-tcpip SSH channel (this is the
> > term for channels used for outbound TCP connections from the sshd)
> > please see example/direct_tcpip.c.
>
> I'm sorry but I don't understand how this has anything to do with
> what I'm trying to do.

Please study the example and read up on how direct-tcpip channels in
SSH work: http://www.ietf.org/rfc/rfc4254.txt section 7.2. (Note that
forwarded-tcpip is not what you want to use here, so look for
direct-tcpip further down in the section.)

> > As you can see in that file you must manually pump data through the
> > first connection. Since libssh2 requires a fd also for the second
> > connection you must use pipe() and manually copy data from the first
> > libssh2 connection into that pipe, and vice versa.
>
> I would like know how do you make the second connection without
> being able to see the IP of that host.

As I wrote, the sshd makes the second connection, according to what
the libssh2 program asks for. You can also use a name instead of an
IP when opening the direct-tcpip channel, in which case the sshd will
do a lookup to find the IP. So you can specify an internal name in
the external client without problems, as long as the name can be
resolved by hostPublic.

> What is fd?

fd is "file descriptor", the thing you get back from socket() and
open() in *ix, and for our purposes it's also what socket() on win32
returns.

Because of the current library API it's not as convenient as it could
be to accomplish what you want, but it is completely possible with
only a little effort.

> > Yes - why do you bring this up?
>
> Because I thought someone might know how to use putty to do this
> and understand what i'm trying to do with libssh2...

Aha. Unfortunately since both PuTTY and libssh2 are fairly complete
SSH client implementations, saying "I want to do with libssh2 what I
can do with PuTTY" without specific terminology or examples doesn't
help. :\

> The procedure should be similar as they are both clients.

But one is an application and the other is a library, so the
procedure is in fact pretty different.

> What I figured out so far is that I need to forward the connection
> via an ssh tunnel within the LAN from hostPrivate to hostPublic.

The other way around would be simpler:

* Connect using libssh2 from internet to hostPublic
* Open direct-tcpip channel from hostPublic to hostPrivate like in
  example/direct_tcpip.c
* Init a second LIBSSH2_SESSION for logging in to hostPrivate
* Then it gets a bit messy: you'll need to use all of direct_tcpip.c
  and set up a socket on localhost that you connect to, just so that
  there is a socket, since libssh2 needs one also for the second
  session. This means that the data pump for that first connection
  likely should run in it's own thread.

> There is a procedure to do it with ssh commands and settings.

Yes, the equivalent of what I described above is:

# this is exactly what direct_tcpip.c implements
ssh -L 2222:hostPrivate:22 hostPublic

and then, in a second terminal:

ssh -p 2222 -ohostkeyalias\ hostPrivate -ohostname\ localhost user_at_hostPrivate

> So far it turned out I'm not sure that my question had anything to
> do with libssh2 or if it's possible or even feasable to use it in
> any way for my purposes. Please let me know.

Sure thing, you're on the right track, and using a direct-tcpip
channel it will work just fine, even though the implementation will
be a little unclean because of that extra socket and data pump.

//Peter
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2010-02-10