| 75 | | * [源起] 許多機器往往因為網路環境的緣故(Ex: 在防火牆背後 或 浮動位址)而無法直接存取 SSH port. 此時可以採用 |
| | 75 | * [源起] 許多機器往往因為網路環境的緣故(Ex: 在防火牆背後 或 浮動位址)而無法直接存取 SSH port. 此時可以採用 SSH port forwarding 來穿透. |
| | 76 | * [參考] man ssh(1) |
| | 77 | {{{ |
| | 78 | -R [bind_address:]port:host:hostport |
| | 79 | By default, the listening socket on the server will be bound to |
| | 80 | the loopback interface only. This may be overriden by specifying |
| | 81 | a bind_address. An empty bind_address, or the address ‘*’, |
| | 82 | indicates that the remote socket should listen on all interfaces. |
| | 83 | Specifying a remote bind_address will only succeed if the |
| | 84 | server’s GatewayPorts option is enabled (see sshd_config(5)). |
| | 85 | }}} |
| | 86 | * [網路架構] |
| | 87 | * HiddenPC = 在防火牆後面的主機, 帳號是 username_At_HiddenPC |
| | 88 | * middleman = 在公開網域/可存取得到 SSH port 的主機, 帳號是 username_at_middleman |
| | 89 | * notebook = 行動辦公的電腦 |
| | 90 | * [作法] |
| | 91 | * 從 HiddenPC 上執行 ssh -R 的指令把 localhost:22 綁到 middleman:10000 |
| | 92 | {{{ |
| | 93 | HiddenPC:~$ nohup ssh -f -N -R 10000:localhost:22 username_at_middleman@middleman |
| | 94 | }}} |
| | 95 | * 從 middleman 執行 ssh 連到 localhost 的 port 10000 就可以等同於連線到 HiddenPC 的 port 22 |
| | 96 | {{{ |
| | 97 | middleman:~$ ssh localhost -p 10000 -l username_At_HiddenPC |
| | 98 | }}} |
| | 99 | * [缺點] 以上的作法, 只能從 middleman 這台主機連 localhost, 無法從第三台機器 notebook 直接連 middleman 的 port 10000. 當然這樣做比較能夠確保系統安全, 因為你必須先連到 middleman 才能連到 HiddenPC, 且如果你把 HiddenPC 的 public_key 放到 middleman 的話, 相對是比較危險的. |
| | 100 | * [情境二] 那萬一我想把 HiddenPC 的 80 port 轉送到 middleman 的 8080 port, 而且想讓 notebook 可以直接存取 http://middleman:8080 就等同於存取 http://HiddenPC ? |
| | 101 | * [解法] 此時就需要把 /etc/ssh/sshd_config 的 GatewayPorts 設為 enable, 並在 ssh -R 的地方加上 bind_address |
| 79 | | forwarded for the client. By default, sshd binds remote port |
| 80 | | forwardings to the loopback address. This prevents other remote |
| 81 | | hosts from connecting to forwarded ports. GatewayPorts can be |
| 82 | | used to specify that sshd should allow remote port forwardings to |
| 83 | | bind to non-loopback addresses, thus allowing other hosts to con‐ |
| 84 | | nect. The argument may be “no” to force remote port forwardings |
| 85 | | to be available to the local host only, “yes” to force remote |
| 86 | | port forwardings to bind to the wildcard address, or |
| 87 | | “clientspecified” to allow the client to select the address to |
| 88 | | which the forwarding is bound. The default is “no”. |
| 89 | | </pre> |
| | 105 | forwarded for the client. By default, sshd binds remote port |
| | 106 | forwardings to the loopback address. This prevents other remote |
| | 107 | hosts from connecting to forwarded ports. GatewayPorts can be |
| | 108 | used to specify that sshd should allow remote port forwardings to |
| | 109 | bind to non-loopback addresses, thus allowing other hosts to con‐ |
| | 110 | nect. The argument may be “no” to force remote port forwardings |
| | 111 | to be available to the local host only, “yes” to force remote |
| | 112 | port forwardings to bind to the wildcard address, or |
| | 113 | “clientspecified” to allow the client to select the address to |
| | 114 | which the forwarding is bound. The default is “no”. |
