Date: Tue, 14 Sep 2004 11:30:16 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Mark Ovens <marko@freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: Quick and simple ssh(1) question Message-ID: <20040914103016.GD43574@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <41462708.3090405@freebsd.org> References: <41460E03.8020408@freebsd.org> <41462266.9000404@mac.com> <41462708.3090405@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--3Gf/FFewwPeBMqCJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Sep 14, 2004 at 12:02:32AM +0100, Mark Ovens wrote:
> Chuck Swiger wrote:
> >Mark Ovens wrote:
> >>Is it correct that you can't ssh(1) between two machines on the same LA=
N=20
> >>(using NAT) _via the Internet?_
> >>
> >>Strange question I know, but I need to be able to access one of my=20
> >>machines, postie, remotely. I've got sshd(8) running and can ssh(1) to=
=20
> >>it from a local machine using it's local hostname. However, since I onl=
y=20
> >>have a single 'net connection here I tried to test connecting remotely=
=20
> >>by ssh(1)'ing to my router's 'net-facing hostname but I get
> >>
> >> ssh: connect to host <router_hostname> port 22: Connection refused
> >>
> >>Port 22 is forwarded to postie on the router.
> >
> >Given time and sufficient determination, you ought to be able to make th=
is=20
> >work, but it's a real pain--
>=20
> [snip detailed info]
>=20
> I think that answers my question - it won't work the way I'm trying it.=
=20
> As I said, this was just an attempt to test connecting from outside;=20
> guess I'll have to wait until I get to work tomorrow and try it from=20
> there (which is where I really want to connect from), it's just that if=
=20
> it doesn't work I'll have to wait until I get home to change things - a=
=20
> bit of a pain.
Note that with ssh(1), not only do you have to set up all of the port
forarding and so forth as you would do with any protocol, but you also
have to worry about the SSH host keys. SSH gets extremely narked and
refuses to connect (for very good reason) if the hostname/IP number of
the machine it's connecting to doesn't match the host keys presented
to it. This can be overcome by editing /etc/ssh/known_hosts or
~/.ssh/known_hosts to associate host keys and hostnames as required.
One other alternative you might find more flexible: instead of using
NAT to do the port forwarding, you can use ssh itself. This does have
the advantage that you can both ssh into your NAT box and hence into
your private machines. Use the '-L' ssh tunnelling option -- ie. you
first ssh into your NAT server where you run:
ssh -L 2222:otherhost:22
Then when you ssh to port 2222 on your NAT box you should get
forwarded to port 22=20
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--3Gf/FFewwPeBMqCJ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBRsg4iD657aJF7eIRAvtRAKCUfpK2L806H2K+E9wjlPGu6i4xyQCdGwKh
mXxGVgTfUEzo9aYa70h5iL0=
=b2/3
-----END PGP SIGNATURE-----
--3Gf/FFewwPeBMqCJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040914103016.GD43574>