Subject: Re: ssh tunneling

Re: ssh tunneling

From: A. Mark <gougolith_at_gmail.com>
Date: Tue, 9 Feb 2010 21:42:32 -0800

Well thanks a bunch again, I really appreciate it. I will report once I get
to the bottom of the things involved here.

A.M.

On Tue, Feb 9, 2010 at 8:29 PM, Peter Stuge <peter_at_stuge.se> wrote:

> Hi A,
>
> A. Mark wrote:
> > > How do you want to access the internal host?
> >
> > I'd like to be able establish an ssh session to a private host
> > (hostPrivate) on a network where one of the hosts (hostPublic) has
> > an external IP to the internet
>
> Ok, that's what I guessed, and what I wrote suggestions for.
>
>
> > > For an example of how to use a direct-tcpip SSH channel (this is the
> > > term for channels used for outbound TCP connections from the sshd)
> > > please see example/direct_tcpip.c.
> >
> > I'm sorry but I don't understand how this has anything to do with
> > what I'm trying to do.
>
> Please study the example and read up on how direct-tcpip channels in
> SSH work: http://www.ietf.org/rfc/rfc4254.txt section 7.2. (Note that
> forwarded-tcpip is not what you want to use here, so look for
> direct-tcpip further down in the section.)
>
>
> > > As you can see in that file you must manually pump data through the
> > > first connection. Since libssh2 requires a fd also for the second
> > > connection you must use pipe() and manually copy data from the first
> > > libssh2 connection into that pipe, and vice versa.
> >
> > I would like know how do you make the second connection without
> > being able to see the IP of that host.
>
> As I wrote, the sshd makes the second connection, according to what
> the libssh2 program asks for. You can also use a name instead of an
> IP when opening the direct-tcpip channel, in which case the sshd will
> do a lookup to find the IP. So you can specify an internal name in
> the external client without problems, as long as the name can be
> resolved by hostPublic.
>
>
> > What is fd?
>
> fd is "file descriptor", the thing you get back from socket() and
> open() in *ix, and for our purposes it's also what socket() on win32
> returns.
>
> Because of the current library API it's not as convenient as it could
> be to accomplish what you want, but it is completely possible with
> only a little effort.
>
>
> > > Yes - why do you bring this up?
> >
> > Because I thought someone might know how to use putty to do this
> > and understand what i'm trying to do with libssh2...
>
> Aha. Unfortunately since both PuTTY and libssh2 are fairly complete
> SSH client implementations, saying "I want to do with libssh2 what I
> can do with PuTTY" without specific terminology or examples doesn't
> help. :\
>
>
> > The procedure should be similar as they are both clients.
>
> But one is an application and the other is a library, so the
> procedure is in fact pretty different.
>
>
> > What I figured out so far is that I need to forward the connection
> > via an ssh tunnel within the LAN from hostPrivate to hostPublic.
>
> The other way around would be simpler:
>
> * Connect using libssh2 from internet to hostPublic
> * Open direct-tcpip channel from hostPublic to hostPrivate like in
> example/direct_tcpip.c
> * Init a second LIBSSH2_SESSION for logging in to hostPrivate
> * Then it gets a bit messy: you'll need to use all of direct_tcpip.c
> and set up a socket on localhost that you connect to, just so that
> there is a socket, since libssh2 needs one also for the second
> session. This means that the data pump for that first connection
> likely should run in it's own thread.
>
>
> > There is a procedure to do it with ssh commands and settings.
>
> Yes, the equivalent of what I described above is:
>
> # this is exactly what direct_tcpip.c implements
> ssh -L 2222:hostPrivate:22 hostPublic
>
> and then, in a second terminal:
>
> ssh -p 2222 -ohostkeyalias\ hostPrivate -ohostname\ localhost
> user_at_hostPrivate
>
>
> > So far it turned out I'm not sure that my question had anything to
> > do with libssh2 or if it's possible or even feasable to use it in
> > any way for my purposes. Please let me know.
>
> Sure thing, you're on the right track, and using a direct-tcpip
> channel it will work just fine, even though the implementation will
> be a little unclean because of that extra socket and data pump.
>
>
> //Peter
> _______________________________________________
> libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
>

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2010-02-10