0

is it possible to achieve the following scenarios by using the SSH tunnels?

  1. My workstation --> jump server --> app server --> final resource (port 443)

  2. My workstation --> app server --> final resource (port 443)

App servers are able to reach final resources but I have no access to them. I would like to do some testing with my local workstation. I'm using PuTTY to create the SSH connection.

I have read some articles regarding to SSH tunnels but I still can't figure out how it works and how could I achieve something like this.

Improve this question

2 Answers 2

Reset to default
1

First of all, keep in mind that port forwarding works only if the server allows it - as this is a security relevant setting, it can be disabled at the server administrator's discretion.

Furthermore, please find details about these options in OpenSSH's man pages:

This connects via jump-server to app-server, uses your origin box's ssh-agent's keys to login to app-server, and establishes a tunnel from 127.0.0.1:8443 to app-server:443 (app-server is in this case 'localhost'). Accessing 127.0.0.1:8443 will yield whatever would be returned when accessing app-server:443.

ssh -A -L 8443:localhost:443 -J user@jump-server user@app-server

This does the same, but leaves out the jump-server, fitting the second scenario you listed:

ssh -L 8443:localhost:443 user@app-server

If this seems a little clumsy, having to specify ports to forward explicitly, try this:

ssh -D 5050 -J user@jump-server,user@second-jump-server user@app-server ssh -D 5050 -J user@jump-server user@app-server ssh -D 5050 user@app-server

-D 5050 makes ssh start a SOCKS5 proxy that listens on localhost:5050 and forwards all traffic to the final destination host, app-server, in the examples given. The traffic is forwarded as if it was sent from app-server, DNS lookups can be passed on as well. For this to work, you need to set up your browser to use the SOCKS5 proxy.

Adding -N will keep ssh from spawning a shell after login an will keep open the connection (and block) until CTRL+C is pressed or the connection is otherwise terminated.

Update: All commands are supposed to be run from your workstation.

If you lack SSH access to the app-server, try this:

(1) ssh -L 8443:app-server:443 user@jump-server (2) ssh -D 5050 user@jump-server

with (1) you need to access https://localhost:8443, with (2) and a properly configured browser surf to https://app-server/.

Improve this answer
3
  • Am I supposed to open the SSH connection to the jump-server by using PuTTY and run the command above from there? Commented Jul 3, 2019 at 15:20
  • The app-server is able to reach the final destination (remote host), but I have no login access to it. How the connection can be forwarded to the final destination from the app-server? Commented Jul 3, 2019 at 15:26
  • I've updated my answer. Commented Jul 3, 2019 at 15:37
-3

Try 

ssh -A -t users@jump-server -A -t user@app-server

UPDATE: Sorry to be vague. This would work for your first scenario.

-A forwards the agent authentication connection which lets you use your authenticated session against the next hop. This is especially useful if you connect to each system with the same key but prefer not to leave your private key on the intermediary host. Either occurrence above can be dropped and you'll authenticate by default means from each hop to the next.

-t forces psuedo-terminal emulation, which lets what is happing at the far end flow back and forth across the intermediary session.

The benefit here is that you get one command that puts you in a session at the far end.

As for your second scenario, the solution that Daywalker linked to provides a couple of great options, using -L to map a local port across an intermediary and to a remote system or the -D switch to create an open ended tunnel that simply flows out from the intermediary.

Improve this answer
1

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.