LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Multi-hop VNC tunnel over SSH (http://www.linuxquestions.org/questions/linux-networking-3/multi-hop-vnc-tunnel-over-ssh-839612/)

deesto 10-21-2010 02:19 PM

Multi-hop VNC tunnel over SSH
 
Is it possible to chain together multiple SSH tunnel hops in a single `ssh -L` command on the client side? I have two gateways I need to get through in order to access a remote host. For a normal SSH client connection, it's simple enough chain this all together by simply appending the additional SSH connection commands to the first one:
Code:

ssh gateway.1 ssh gateway.2 ssh remote.host
And for a normal (non-hopping) VNC session to a non-gateway host, create a tunnel:
Code:

ssh -L [local-port]:localhost:[remote-port|5900] remote.host && vncviewer localhost:[display]
But is it possible to chain together multiple gateway hops in order to reach the remote host, given SSH authentication is done via key on each host, and privileged ports are not accessible on the gateway machines? I've gotten close with the following, but tripped up by man-in-the-middle attack warnings:
Code:

ssh -tL 5900:localhost:22 gateway1 ssh -tL 50022:gateway2:22 remote.host 'some.vnc.viewer -localhost -display :0'

sys64738 10-21-2010 05:02 PM

Hi
how about this:
Code:

ssh -X gateway.1 ssh -X gateway.2 ssh -X remote.host
and then on remote.host you simply do a "vncviewer"?

deesto 10-22-2010 07:42 AM

Hi sys64738,

Yes: of course that works. But my question is whether it's possible to tunnel multiple hops and script everything entirely on the client side.

sys64738 10-22-2010 10:36 AM

How about that:

Code:

ssh -X user@gateway.1 ssh -X user@gateway.2 ssh -X user@remote.host vncviewer
If you have public key authentication it will work in a script without passwords and there is no hassle with tcp ports (only 22 needed).

I hope that is OK?

deesto 10-22-2010 01:22 PM

Hi sys64738,
Quote:

Originally Posted by sys64738 (Post 4135977)
How about that:
Code:

ssh -X user@gateway.1 ssh -X user@gateway.2 ssh -X user@remote.host vncviewer
If you have public key authentication it will work in a script without passwords and there is no hassle with tcp ports (only 22 needed).

I hope that is OK?

Yes, thanks, but ... really my question was more toward _understanding_ the "hassle" of using ports properly with a multi-hop tunnel, rather than working around them.

sys64738 10-23-2010 08:57 AM

OK back to your ssh statement. If I got it right you said you got warnings about man in the middle attacks.
If you want to ignore those warnings add:
Code:

-o 'StrictHostKeyChecking=no'
which would lead to:
Code:

ssh -o 'StrictHostKeyChecking=no' -tL 5900:localhost:22 gateway1 ssh -o 'StrictHostKeyChecking=no' -tL 50022:gateway2:22 remote.host 'some.vnc.viewer -localhost -display :0'
But you must be sure that you address the right hosts along your tunnel.
BTW I think you have to tell the 'some.vnc.viewer' on remote.host to use port 50022.

deesto 10-25-2010 07:38 AM

Thanks sys64738. `StrictHostKeyChecking` was the key, though it should not be used on untrusted systems. Note that you don't need to specify the vnc port on the remote host, but you do need to specify a display port:
Code:

ssh -o 'StrictHostKeyChecking=no' -ACtYL 5900:localhost:22 you@gateway1 ssh -o 'StrictHostKeyChecking=no' -ACtYL 50022:localhost:5900 you@gateway2 ssh -ACtY you@remotehost vncviewer localhost:0


All times are GMT -5. The time now is 01:40 PM.