Joseph S D Yao wrote: > On Wed, May 27, 2009 at 04:49:45PM -0400, Doug Hughes wrote: > ... > >> Do you want to transparently forward from the intermediary device or do >> you want the intermediary device to do ssh protocol negotiation and then >> open a new ssh connection to another device? >> >> if you want to transparently forward, there are many ways to do it. One >> is to install a forwarding proxy like socat which just listens on 22 and >> when it sees an incoming connection it sends it to remote host on 22.. >> like so.. >> >> socat tcp-listen:22,reuseaddr,fork tcp-connect:internal_host:22 >> >> (you can do it with other programs as well) >> > ... > > > Note, of course, that if you do this you will no longer be able to 'ssh' > to the bastion host! Solutions include forwarding only from external IP > addresses, or forwarding a different incoming TCP port. The latter is > slightly safer anyway [only slightly, though; security via obscurity is > not a great help]. > > Either that, or bind the external forwarding to a specific IP address leaving the internal IP address still accessible via ssh (which would have it's sshd_config updated appropriately to bind to the explicit port)
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
