Feature to connect two hidden hosts trough sshd

Nico Kadel-Garcia nkadel at gmail.com
Sat Dec 7 00:17:41 AEDT 2019 

On Fri, Dec 6, 2019 at 6:04 AM Damiano Bolla <openssh.dev at engidea.com> wrote:
>
> Good morning
>
> I am inquiring if the following feature is in any way planned or if there is any interest to pool manpower to do it:
>
> The scope of the feature: Allow two hosts in private networks to share a port (typically to run VNC over it)
>
> How it would be used:
>
> - Companies or individuals would buy a public host in a cloud provider, install sshd in it with a public IP eg: 194.177.12.12
>
> when host A with private ip eg: 192.168.1.1 wants to establish a VNC connection to host B with private IP eg: 192.168.2.2 this
> should happen
>
> - Host A does: ssh [forward port 5901 and bind user damiano] 194.177.12.12
> - Host B does: ssh [incoming port 5901 and bind as user damiano] 194.177.12.12

It's workable. I've also seen internal security people get
*ridiculously* angry about leaving that kind of tunnel in place,
because you're basically punching a hole in their firewall without
their permission.

If you're going to need this kind of remote terminal access, look at
NoMachine rather than VNC. It provides much better access over the
remote sessions for a designated local or personal administrator. It's
at www.nomachine.com and has free versions available.

> what happens is
> - 194.177.12.12 has a list of permitted "bindings" and one of them is damiano
> - When host A connects to 194.177.12.12 and binds to user damiano it tells to SSHD that it wants to forward the given port to the
> binding

Which can be forced with an SSH key and "ForceCommand" setting  If
that first host is a typical jumpgate, it may have port forwarding
disabled.

> - When host B connects to 194.177.12.12 and binds to user damiano it tells to SSHD that it wants accept forward data to the given
> port to the bindin

> As far as I see, there is no extra level of authentication on the bindings (binding name can be any string, even numeric) since the
> ssh connection is authenticated.

Look into using "sshn" on gist A to automate the forwarded connection
and maintain it. And be ready for your local security person to beat
you with a stick when they find you've been running SSH tunnels
without their explicit permission.

> The question again is if this is in any way a planned feature or if there is any interest in doing it from anybody.
>
> Yes, I can get down to work on doing it
>
> Thanks
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list