Creating reverse ssh Connection Tunnels
Debian and/or Ubuntu  --  By Rodney Richison

Note: ssh, by it's very design, is insecure. Brute force attacks are very successful against ssh. Install something like denyhosts or create some iptable rules to prevent brute force attacks!  You have been warned!!


In this writing, we will refer to the machines as:

    host - machine to be ssh'ed into
    repeater - machine with new port assigned
    client - can be the repeater or yet another machine you wish to use.

    Explanation:
        You can use a reverse connection to go from one machine to another if one is behind a firewall or you can use a repeater to make the bridge between the two machines if they are both behind a firewall. Thus, the repeater or the client can access the "host".

Edit sshd_config and enable:
GatewayPorts yes  (This setting only applies to "remote" port forwardings ("ssh -R") which are connecting in to this SSH daemon.)

On repeater
vi /etc/ssh/sshd_config

GatewayPorts yes


Create a key on the "host"

On host
ssh-keygen -t rsa

Follow the prompts, just hitting enter for the passphrase. This will yield the id_dsa.pub
and id_dsa files (the public and private key pair):

...Generating public/private dsa key pair. [Enter]
...Enter file in which to save the key (/backup/id_dsa): [Enter]
...Created directory '/backup/id_rsa'. [Enter: you might not see this message]
...Enter passphrase (empty for no passphrase): [Enter]
...Enter same passphrase again: [Enter]




Copy the public key to the repeater:

Do this from the host machine, this will open up a ssh connection to the machine your
giving permision to and install it.



On host
ssh-copy-id -i ~/.ssh/id_rsa.pub repeater1.example.com (or you could use the ip address)
Now you should be able to ssh to the "repeater" without a password.

Ok, let's download autossh


On host
    apt-get autossh

Create the tunnel (Leave off the "-f" if you want to see the results)

On host
   autossh -f -N -R 5555:localhost:22 root@repeater1.example.com
	Explaination:
-M = the local port autossh uses to monitor the connection
(new versions of autossh do not need, nor do I recommend the -M flag)
If you find yourself getting disconnected, it is likely
because of the -M flag using multiple connections to the same port
-f = run in the background immediatly
-N and -R are ssh flags for reverse.
5555:localhost:22 repeater port 5555 and host port 22
root = username on repeater
@repeater1.example.com = repeater
At this point, you should have a working reverse connection.

You may wish to put the autossh command in your rc.local file. Be SURE to include the & sign at the end.
vi /etc/rc.local
# Example Run as root user and immediatly move to background.
su root -c 'autossh -f -N -R 5555:localhost:22 root@repeater1.example.com &'



From the repeater you can connect like this

On repeater

   ssh user@localhost -p 5555      (the username here is the username on the "host" machine)


But, we don't want to have to use a password..  dang it!
Don't worry, although
ssh-copy-id doesn't handle odd ports well, we can create a config file that does.  :)

On repeater
    vi ~/.ssh/config

Enter this into the config file  (Edit as needed)

    Host hostmachine    #Name you can remember of the connection
    Hostname localhost
    User root    # Do you really want to connect as root?
    Port 1111   # Change the port number to the one you use.
    # ForwardX11 yes   #Uncomment this line if you wish

Now you can upload the key because our port number is in the config file.

On host
ssh-copy-id -i ~/.ssh/id_rsa.pub hostmachine

Now if you try to connect, no password is needed.

Ok, that pretty much handles ssh from the repeater machine to the host machine. However, now you've taken your laptop somewhere that also has a firewall and you need to get to your "host". No problem, since you can reach the repeater machine..

On client
Create a config file like you did on the repeater above. But change the Hostname

    vi ~/.ssh/config

Enter this into the config file  (Edit as needed)

    Host hostmachine    #Name you can remember of the connection
    Hostname repeater1.example.com
    User root    # Do you really want to connect as root?
    Port 1111   # Change the port number to the one you use.
    # ForwardX11 yes   #Uncomment this line if you wish

Now you can upload the key because our port number is in the config file.

On client
ssh-copy-id -i ~/.ssh/id_rsa.pub hostmachine


Now you can connect

ssh username_on_host@repeater1.example.com

or

ssh hostmachine



Route firefox thru this tunnel
ssh -p 1111 -D 10126 -C root@ns1.rcrnet.net

Then change firefox proxy to:
socks host = localhost  (at the bottom)
port = 10126

Route X11VNC thru this tunnel
(Tutorial here for setting up X11VNC - http://www.thelinuxvault.net/wiki/X11vnc#Using_with_GDM)

Create the tunnel
ssh myname@files.com -L 5900:127.0.0.1:5900
Connect to the tunnel we created
xvncviewer localhost:0
or
	vncviewer vnchost:0

or
    in krdc vnc:/localhost:0