SSH access to office host behind NAT router

youatwork@officepc$ autossh -R 12345:localhost:22 notroot@serverpc

Later:

you@homepc$ autossh -L 23456:localhost:12345 notroot@serverpc

you@homepc$ ssh youatwork@localhost -p 23456

What you could do is this: in step 1 forward a remote port from the office PC to the server (12345 is used as an example, any port >1024 should do). Now connecting to 12345 on the server should connect you to port 22 on officepc.

In step 2, forward the port 23456 from your home machine to 12345 on the server (whence it gets forwarded to officepc:22, as set up in step 1)

In step 3, you connect to the local port 23456 with your office PC login. This is forwarded by step 2 to port 12345 on your server, and by step 1 to your office PC.

Note that I'm using autossh for the forwardings, as it's a ssh wrapper which automatically reconnects the tunnel should it be disconnected; however normal ssh would work as well, as long as the connection doesn't drop.

There is a possible vulnerability: anyone who can connect to localhost:12345 on serverpc can now connect to officepc:22, and try to hack into it. (Note that if you're running a SSH server, you should anyway secure it above the basic protections which are on by default; I recommend at least disabling root login and disabling password authentication - see e.g. this)

Edit: I have verified this with the same config, and it works. GatewayPorts no only affects the ports that are open to the world at large, not local tunnels. This is what the forwarded ports are:

homepc:
  outgoing ssh to serverpc:22
  listening localhost:23456 forwarded through ssh tunnel
serverpc:
  listening ssh at *:22
  incoming localhost ssh tunnel (from homepc) forwarded to localhost:12345
  listening localhost ssh tunnel (from officepc) forwarded from localhost:12345
officepc:
  outgoing ssh to serverpc:22
  incoming localhost through ssh tunnel (from serverpc) forwarded to localhost:22

So, as far as the network stack is concerned, it's all local traffic on the respective loopback interfaces (plus ssh connections to serverpc); therefore, GatewayPorts is not checked at all.

There is, however, the directive AllowTcpForwarding: if that is no, this setup will fail as no forwarding is allowed at all, not even across the loopback interface.

Caveats:

• if using autossh and recent ssh, you may want to use ssh's ServerAliveInterval and ServerAliveCountMax for keeping the tunnel up. Autossh has a built-in check, but apparently it has some issues on Fedora. -M0 disables that, and -oServerAliveInterval=20 -oServerAliveCountMax=3 checks if the connection is up - tries each 20 sec, if it fails 3x in a row, stops ssh (and autossh makes a new one):

  autossh -M0 -R 12345:localhost:22 -oServerAliveInterval=20 -oServerAliveCountMax=3 notroot@serverpc
  
  autossh -M0 -L 23456:localhost:12345 -oServerAliveInterval=20 -oServerAliveCountMax=3 notroot@serverpc
  

• it might be useful to restart ssh tunnel if the forward fails, using -oExitOnForwardFailure=yes - if the port is already bound, you might get a working SSH connection, but no forwarded tunnel.

• using ~/.ssh/config for the options (and ports) is advisable, else the command lines get too verbose. For example:

  Host fwdserverpc
      Hostname serverpc
      User notroot
      ServerAliveInterval 20
      ServerAliveCountMax 3
      ExitOnForwardFailure yes
      LocalForward 23456 localhost:12345
  

Then you can use just the server alias:

    autossh -M0 fwdserverpc

If you can ssh to the internal server from home and from the internal server to your office Linux machine, then from home you can use the ssh ProxyCommand to bounce silently through the server to the internal machine via nc (netcat)

# ~/.ssh/config on your home machine:
Host internalpc 
   ForwardAgent yes 
   ProxyCommand ssh [email protected] exec nc internal.pc.example.com %p

Then you just ssh user@internalpc and you are silently forwarded through the server machine, no opening of ports or tunnels required on either end.

Install Robo-TiTO in the computer that you want to access SSH remotely.

• This will allow you to access SSH using from Google Talk Client Apps anywhere.
• There is no need for a public IP address or special setting.
• It's Free and Open Source, Not Paying any application services anymore.
• No need to open SSH port (keep your computer safe).
• No need to open any tunneling (e.g., VPN or something like that)

The following installation instructions are obsolete, as the site has moved. The new URL is https://github.com/formigarafa/robotito

I made a script (tested on my Raspbian OS in Raspberry Pi) so you can easily install Robo-TiTO on Raspberry Pi, Debian or Ubuntu Box (Debian package distribution). this is the steps to get your Linux box remoteable:

1. Open Shell Command or you can call it Terminal, go to your home folder, Download installer script by command:

   $ wget https://opengateway.googlecode.com/files/robotito
   

2. after that run the script by entering command:

   $ sudo ./robotito
   

3. and then you can edit file credentials.rb from the config folder of Robo-TiTO using your GTalk account and save it by pressing Ctrl+X and Y.  Default is using nano editor.

4. running the Robo-TiTO from Robo-TiTO folder by command

   $ cd robotito
   $ ./jabbershd start
   

5. Now that this is done you can use SSH from any Google talk client.  Don't forget to add the Robo-TiTO GTalk account to your Google talk account and test it with chatting each other before using the account.