[SOLVED] Multi-hop VNC tunnel over SSH

deesto · 10-21-2010, 02:19 PM

Is it possible to chain together multiple SSH tunnel hops in a single `ssh -L` command on the client side? I have two gateways I need to get through in order to access a remote host. For a normal SSH client connection, it's simple enough chain this all together by simply appending the additional SSH connection commands to the first one:

Code:

ssh gateway.1 ssh gateway.2 ssh remote.host

And for a normal (non-hopping) VNC session to a non-gateway host, create a tunnel:

Code:

ssh -L [local-port]:localhost:[remote-port|5900] remote.host && vncviewer localhost:[display]

But is it possible to chain together multiple gateway hops in order to reach the remote host, given SSH authentication is done via key on each host, and privileged ports are not accessible on the gateway machines? I've gotten close with the following, but tripped up by man-in-the-middle attack warnings:

Code:

ssh -tL 5900:localhost:22 gateway1 ssh -tL 50022:gateway2:22 remote.host 'some.vnc.viewer -localhost -display :0'

sys64738 · 10-21-2010, 05:02 PM

Hi
how about this:

Code:

ssh -X gateway.1 ssh -X gateway.2 ssh -X remote.host

and then on remote.host you simply do a "vncviewer"?

deesto · 10-22-2010, 07:42 AM

Hi sys64738,

Yes: of course that works. But my question is whether it's possible to tunnel multiple hops and script everything entirely on the client side.

sys64738 · 10-22-2010, 10:36 AM

How about that:

Code:

ssh -X user@gateway.1 ssh -X user@gateway.2 ssh -X user@remote.host vncviewer

If you have public key authentication it will work in a script without passwords and there is no hassle with tcp ports (only 22 needed).

I hope that is OK?

deesto · 10-22-2010, 01:22 PM

Hi sys64738,

Quote:

Originally Posted by sys64738

How about that:

Code:

ssh -X user@gateway.1 ssh -X user@gateway.2 ssh -X user@remote.host vncviewer

If you have public key authentication it will work in a script without passwords and there is no hassle with tcp ports (only 22 needed).

I hope that is OK?

Yes, thanks, but ... really my question was more toward _understanding_ the "hassle" of using ports properly with a multi-hop tunnel, rather than working around them.

sys64738 · 10-23-2010, 08:57 AM

OK back to your ssh statement. If I got it right you said you got warnings about man in the middle attacks.
If you want to ignore those warnings add:

Code:

-o 'StrictHostKeyChecking=no'

which would lead to:

Code:

ssh -o 'StrictHostKeyChecking=no' -tL 5900:localhost:22 gateway1 ssh -o 'StrictHostKeyChecking=no' -tL 50022:gateway2:22 remote.host 'some.vnc.viewer -localhost -display :0'

But you must be sure that you address the right hosts along your tunnel.
BTW I think you have to tell the 'some.vnc.viewer' on remote.host to use port 50022.

deesto · 10-25-2010, 07:38 AM

Thanks sys64738. `StrictHostKeyChecking` was the key, though it should not be used on untrusted systems. Note that you don't need to specify the vnc port on the remote host, but you do need to specify a display port:

Code:

ssh -o 'StrictHostKeyChecking=no' -ACtYL 5900:localhost:22 you@gateway1 ssh -o 'StrictHostKeyChecking=no' -ACtYL 50022:localhost:5900 you@gateway2 ssh -ACtY you@remotehost vncviewer localhost:0