Solved

Need help with multi-hop SSH tunnel using stacked connections

Posted on 2013-06-24
8
1,175 Views
Last Modified: 2013-07-09
I have been able to figure out how to use SSH tunneling over more than one hope using only putty. So I can create 2 tunnels, one to an intermediate server and another to the final destination. So I can do this:

50432:dbserver:5432
50432:stage1:50432

So then in my client (in this case pgAdmin), I simply connect on dbserver 50432. This works fine for our dev databases because they are only one hop away. For our production db it gets slightly more complicated because there is an additional hop. I tried something like this:

50432:dbserver:5432
50432:stage2:50432
50432:stage1:50432
(I also tried no conflicting port numbers)

But connecting doesn't work. I am thinking I have to use some combination of "local" and "remote" connections or a proxy but I am not sure how. Please help!

Note I do not have direct SSH access to dbserver
0
Comment
Question by:skione
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39274303
You need to create the tunnel to the final server starting at the intermediate server (assuming only a 2-hop connection). For more hops, you need to create a tunnel between each pair of adjacent servers. Then you ssh to the first server and from there ssh to the second, and so on.
0
 

Author Comment

by:skione
ID: 39274555
I get that. I believe my example illustrates that and I've tried many permutations.  I need a more concrete example. Also remember I don't have ssh access to the final server so I need to forward the port somehow.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39274688
No ssh to to final server? Why not?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:skione
ID: 39274699
Does it really matter? Its s security policy. Least permissive and whatnot. So I can only access that server on the psql port (5432)
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39274781
Yes you did say. If you actually logged in to stage2, could you then run an app which could access the DB on the dbserver?
Are these SSL tunnels or SSH? either way it's bedtime for me. I'm pretty much out of ideas anyway - odd that your original setup didn't work really.
0
 

Author Comment

by:skione
ID: 39274802
If I SSH from server1-> server2 then I PSQL to db server
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39276505
I'm not familiar with PSQL. Your setup sounds OK to me  - any other Experts???
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 39283873
You need a SSH client  running on every server. If  you cannot  SSH connect to the dbserver using SSH,  then you cannot complete a SSH tunnel;  you  will  essentially be breaking out the traffic  into an unprotected form.

I want to make it clear that,  this is possible,  BUT it is insane, and the use of multiple tunnels is contrary to best practice, due to performance and security issues --   just because you can does not mean you should.
Port forwards and IPsec  are definitely more appropriate security transports for building complicated topologies.

And you could build an IPsec SA all the way to the database server,  and not stop short of securing the connection end-to-end....



- Beyond 2 hops away, you will have to run a SSH client or PuTTy  on each remote server.
To accomplish
   50432:dbserver:5432   50432:stage2:50432    50432:stage1:50432
This cannot all be done on one computer.

You can SSH into stage0  from PuTTy with     50432:stage1:50432
Then you need
  stage0#  ssh -l user stage1 -R 50432:stage1:50432 -g

To cause stage0  to open up local port 50432 and forward it to stage1 50432

Once you've SSH'd into stage1, you essentially need a SSH session from stage1 to stage2.
so in that SSH terminal you could type

 stage1#  ssh -l user   stage2  -R 50432:dbserver:5432 -g

To chain a second session..

to cause stage2 to listen on local port 50432 and forward to  dbserver:5432
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
php56-php-mcrypt for rhel7 php56 1 160
Apache module 5 81
Centos 7 DNS server not replying to clients 3 90
database connection error mysql stops 7 79
How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question