Re: Quick and simple ssh(1) question
On Tue, Sep 14, 2004 at 12:02:32AM +0100, Mark Ovens wrote: Chuck Swiger wrote: Mark Ovens wrote: Is it correct that you can't ssh(1) between two machines on the same LAN (using NAT) _via the Internet?_ Strange question I know, but I need to be able to access one of my machines, postie, remotely. I've got sshd(8) running and can ssh(1) to it from a local machine using it's local hostname. However, since I only have a single 'net connection here I tried to test connecting remotely by ssh(1)'ing to my router's 'net-facing hostname but I get ssh: connect to host router_hostname port 22: Connection refused Port 22 is forwarded to postie on the router. Given time and sufficient determination, you ought to be able to make this work, but it's a real pain-- [snip detailed info] I think that answers my question - it won't work the way I'm trying it. As I said, this was just an attempt to test connecting from outside; guess I'll have to wait until I get to work tomorrow and try it from there (which is where I really want to connect from), it's just that if it doesn't work I'll have to wait until I get home to change things - a bit of a pain. Note that with ssh(1), not only do you have to set up all of the port forarding and so forth as you would do with any protocol, but you also have to worry about the SSH host keys. SSH gets extremely narked and refuses to connect (for very good reason) if the hostname/IP number of the machine it's connecting to doesn't match the host keys presented to it. This can be overcome by editing /etc/ssh/known_hosts or ~/.ssh/known_hosts to associate host keys and hostnames as required. One other alternative you might find more flexible: instead of using NAT to do the port forwarding, you can use ssh itself. This does have the advantage that you can both ssh into your NAT box and hence into your private machines. Use the '-L' ssh tunnelling option -- ie. you first ssh into your NAT server where you run: ssh -L :otherhost:22 Then when you ssh to port on your NAT box you should get forwarded to port 22 Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpzB11CcYPoL.pgp Description: PGP signature
RE: Quick and simple ssh(1) question
Most likely your router is configured to only forward connections that come from the outside. As I said, it was only a test and I was hoping that by using the router's external hostname it would simulate an external connection, obviously it doesn't. Does it work to access 'postie' via ssh from some machine that is *actually* on the outside? If it does, then it is the configuration of your router which is not doing what you want it to. I don't have access to one until I get to work tomorrow which was why I was trying to simulate it - whilst I have the target machine in front of me. -- This can be simulated at home by sshing into a host outside of your LAN (I used one of the hosts at my university) and then sshing back into your own machine. Maybe you can ssh into work and then back again ;) Or somewhere else outside your LAN.. Nimalan Mahendran Tools Group Direct - 519-880-2400 ext. 2756 www.sandvine.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Quick and simple ssh(1) question
Is it correct that you can't ssh(1) between two machines on the same LAN (using NAT) _via the Internet?_ Strange question I know, but I need to be able to access one of my machines, postie, remotely. I've got sshd(8) running and can ssh(1) to it from a local machine using it's local hostname. However, since I only have a single 'net connection here I tried to test connecting remotely by ssh(1)'ing to my router's 'net-facing hostname but I get ssh: connect to host router_hostname port 22: Connection refused Port 22 is forwarded to postie on the router. It kind of make sense to me that this won't work but I'd like to confirm that this is the case and it's not my sshd(8) configuration that's wrong. Thanks. Regards, Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick and simple ssh(1) question
Mark Ovens wrote: Is it correct that you can't ssh(1) between two machines on the same LAN (using NAT) _via the Internet?_ Strange question I know, but I need to be able to access one of my machines, postie, remotely. I've got sshd(8) running and can ssh(1) to it from a local machine using it's local hostname. However, since I only have a single 'net connection here I tried to test connecting remotely by ssh(1)'ing to my router's 'net-facing hostname but I get ssh: connect to host router_hostname port 22: Connection refused Port 22 is forwarded to postie on the router. Given time and sufficient determination, you ought to be able to make this work, but it's a real pain-- you need to set up an IP alias on postie for the public IP, not just your internal NAT address, you need to watch out for any anti-spoofing rules and anything blocking the RFC-1918 unroutable IPs commonly used with NAT on the machines involved, and you may even have to set up a host-specific route for the public IP to the NIC/subnet where the machine actually is on your router, as well (if that isn't already implied by the router when forwarding ports to a box, or marking an IP as the DMZ host, etc, depending on what your router is). Using split DNS to return a local IP rather than a public IP when a machine on your LAN asks for a public name is easier to set up. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick and simple ssh(1) question
On Mon, Sep 13, 2004 at 10:15:47PM +0100, Mark Ovens wrote: Is it correct that you can't ssh(1) between two machines on the same LAN (using NAT) _via the Internet?_ What do you mean 'via the Internet'? If both machines are on the same LAN any connections between them will never go outside the LAN, and thus never go near the Internet. Strange question I know, but I need to be able to access one of my machines, postie, remotely. I've got sshd(8) running and can ssh(1) to it from a local machine using it's local hostname. However, since I only have a single 'net connection here I tried to test connecting remotely by ssh(1)'ing to my router's 'net-facing hostname but I get ssh: connect to host router_hostname port 22: Connection refused Port 22 is forwarded to postie on the router. Most likely your router is configured to only forward connections that come from the outside. Does it work to access 'postie' via ssh from some machine that is *actually* on the outside? If it does, then it is the configuration of your router which is not doing what you want it to. It kind of make sense to me that this won't work but I'd like to confirm that this is the case and it's not my sshd(8) configuration that's wrong. I doubt it is sshd(8) that is at fault. Most likely it is your configuration of NAT and/or the forwarding of the port which is to blame. -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick and simple ssh(1) question
Chuck Swiger wrote: Mark Ovens wrote: Is it correct that you can't ssh(1) between two machines on the same LAN (using NAT) _via the Internet?_ Strange question I know, but I need to be able to access one of my machines, postie, remotely. I've got sshd(8) running and can ssh(1) to it from a local machine using it's local hostname. However, since I only have a single 'net connection here I tried to test connecting remotely by ssh(1)'ing to my router's 'net-facing hostname but I get ssh: connect to host router_hostname port 22: Connection refused Port 22 is forwarded to postie on the router. Given time and sufficient determination, you ought to be able to make this work, but it's a real pain-- [snip detailed info] I think that answers my question - it won't work the way I'm trying it. As I said, this was just an attempt to test connecting from outside; guess I'll have to wait until I get to work tomorrow and try it from there (which is where I really want to connect from), it's just that if it doesn't work I'll have to wait until I get home to change things - a bit of a pain. Thanks for the answer. Regards, Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick and simple ssh(1) question
Erik Trulsson wrote: On Mon, Sep 13, 2004 at 10:15:47PM +0100, Mark Ovens wrote: Is it correct that you can't ssh(1) between two machines on the same LAN (using NAT) _via the Internet?_ What do you mean 'via the Internet'? If both machines are on the same LAN any connections between them will never go outside the LAN, and thus never go near the Internet. Strange question I know, but I need to be able to access one of my machines, postie, remotely. I've got sshd(8) running and can ssh(1) to it from a local machine using it's local hostname. However, since I only have a single 'net connection here I tried to test connecting remotely by ssh(1)'ing to my router's 'net-facing hostname but I get ssh: connect to host router_hostname port 22: Connection refused Port 22 is forwarded to postie on the router. Most likely your router is configured to only forward connections that come from the outside. As I said, it was only a test and I was hoping that by using the router's external hostname it would simulate an external connection, obviously it doesn't. Does it work to access 'postie' via ssh from some machine that is *actually* on the outside? If it does, then it is the configuration of your router which is not doing what you want it to. I don't have access to one until I get to work tomorrow which was why I was trying to simulate it - whilst I have the target machine in front of me. Thanks for the reply. Regards, Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]