More Trickiness With SSH

I saw an article on reddit about SSH trickery. SSH is a very subversive protocol, able to work around many kinds of unwise security policies. Here’s a couple more useful things to know.

1. Better Lurking Through .ssh/config-ery.

Where you’ve got machines lurking behind other machines, inaccesible from the Internet, you can add a clause like this to your .ssh/config file:

Host: lurker
ProxyCommand: ssh /bin/nc %h %p
This causes ‘ssh lurker’ to open an ssh connection to, then use nc (may be called netcat on your system, or you may have to install it yourself) to connect on to lurker (the %h %p interpolates the target hostname and port into the proxy command)

2. Reverse Tunnelling

So you’ve noticed the -L option, right, and you understand that by running:

ssh -L 3128:localhost:3128 gateway.home
you are establishing a tunnel home to your proxy server, and you can now configure your web browser to use localhost:3128 as its proxy server to keep your web traffic private.

But did you know this one? Let’s say you’ve got a machine stuck out in DMZ land and you want to apt-get upgrade the poor thing, pronto. You can’t access the web from this box: security policy. You can’t access your internal proxy: ditto. All you can do is ssh into it. Try this:

ssh -R
From your shell on dmzbox, you can now configure the http proxy as localhost:3128 and start sucking down packages via the reverse tunnel.

3. Tunnel Tunnelling

Every now and then, you need to get control of a box which is sadly hidden away behind a broken hotel NAT network or some kind of Get Smart style VPN setup. You can’t even get an ssh in. It’s either read Unix commands over an international phone line at 3am your time, or train a pigeon to tap out the following:

ssh -L 2222:localhost:22
which, when run on the remote box, opens an ssh tunnel back home, through which you can ssh back into the remote box with ssh -p 2222 localhost

4. ssh tunnels with tap and -w

There’s also a (newish) “-w” option, which turns ssh into a full-on VPN solution rather than just a port-at-a-time port forwarder.

The useful piece of information which I haven’t seen elsewhere is this: you don’t need to allow root ssh logins to use it. Instead, you can use ‘tunctl’ to preconfigure tun or tap devices on each end with the -u option to set their permissions to a non-root user. The easiest place to do this, on Debian/Ubuntu systems, is in /etc/network/interfaces, for example, in host1:/etc/network/interfaces:

auto tap9
iface tap9 inet static
pre-up tunctl -u nick -t $IFACE
post-down tunctl -d $IFACE
and in host2:/etc/network/interfaces:

auto tap9
iface tap9 inet static
pre-up tunctl -u nick -t $IFACE
post-down tunctl -d $IFACE
Now you can ‘ifup’ those interfaces, and then start the VPN by running:

[email protected]$  ssh -o Tunnel=Ethernet -w9:9 host1
And the tunnel will be up and running, without needing to create the tunnel as root. You could easily take this one further for an automatic tunnel, setting


© 2009-2011 Nick Moore. Published at:

 959 total views

Windows/Mac + iPhone/iPod touch: Not only do videos take up a ton of space on space-constrained devices, but converting videos for the iPhone gets painful quickly. Air Video streams videos straight to your iPhone, converting them on-the-fly if they’re incompatible.

The app is actually an iPhone app plus a PC/Mac app that acts as a server. You can use any videos on your computer, whether they are in iTunes or not—and, if you prefer, you can also add video playlists from iTunes to the list of sources. Once you get the server app running on your desktop, you can start streaming over your home network immediately. Streaming over the internet from outside your home, though, only takes a few more seconds—in the server app, go to the “Remote” tab and check Enable Access from Internet (see below). The app will give you a server PIN that you can type in when you go to add a source on your iPhone or iPod touch—note that your router at home needs a public IP address and support UPnP or NAT-PMP protocols, which shouldn’t be a problem for most people.

As if that weren’t cool (or easy) enough, if you have some videos that can’t be played directly on the iPhone, you can convert them using Air Video as you watch it (as long as you’re running firmware 3.0 and have a fairly powerful computer back at home). If you prefer, you can also convert the file offline and watch it later.

Air Video is a free download for the iPhone and iPod touch, although the free version only shows you a few videos at a time, at random, from your folders. If you have a large video library you want to share, or don’t feel like clicking on the folder multiple times waiting for the video you want to be on the list, there’s a $2.99 pro version available as well.

 853 total views,  1 views today

Microsoft new Windows Phone operating system looks pretty snazzy, Adobe AIR is on its way to smartphones, and one diligent self-measuring math teacher delivers his 2009 annual report.

 894 total views,  1 views today