If you want to let someone log into your machine or you want to log back into your machine from your server for some reason, normally you'd just set up port forwarding and connect to your IP.
But there is another way: you can use ssh to create a connection to a remote machine, which that person can then use to log into your machine.
- No need to set up port forwarding if you're on a network.
- No need to allow incoming connections in your firewall.
- Works when you can't change router or firewall settings.
- User can only log in when you start the connection (if it's blocked otherwise).
- The other user doesn't need to know your IP (e.g. in case it's dynamic).
- User can only log in when you start the connection.
- You must be able to ssh log into the remote machine
It's not a replacement for normal ssh, but it's useful in some situations.
How to do it?
The first time:
- Make sure an ssh server is installed on your machine, e.g.:
- Make sure the server is properly secured - there's a lot of information online.
- Make sure there is an account for the user to log into. Note you can log into your own machine to test:
- Open the connection to remote_machine that the other user will connect through:
Here 2020 can be any port on the remote machine (<1024 are privileged though), which you can choose freely, but it should be the same in the next step. 22 is the local ssh server port, which is 22 by default but can be changed.
- Log in to your machine from the remote machine:
Tunnel as jump node
Say you're on Desktop, you open a tunnel to JumpNode and want Server to log in to Desktop through JumpNode. An uncommon but useful scenario: Server is a backup server, for which you don't want to store login credentials on your Desktop in case it's compromised.
From the command line, you can do this directly from Server:
In this case, JumpNode needs to have an ssh IdentityFile for Desktop, or you need to enter a password.
If you want to do it in one command, e.g. so you can use scp or rsync, it works a bit differently. You need to edit ~/.ssh/config (or equivalent) on Server in one of two ways. For recent (7.3+) versions of openssh (ssh -V) you can use the easy ProxyJump way:
Host JumpNode Hostname jumpnode.domain.ext Port 22 User jump_node_user IdentityFile ~/.ssh/keys/jumpnode Host Desktop HostName localhost Port 2020 User desktop_user ProxyJump JumpNode
For older versions, you can use ProxyCommand:
Host JumpNode # The same as above Host Desktop Hostname localhost Port 2020 User desktop_user ProxyCommand ssh -W %h:%p JumpNode IdentityFile ~/.ssh/keys/rafiki
Note that there's no need to use netcat, which is suggested on various websites.
A notable difference in this case, as compared to the command line one, is that the Server's IdentityFile for Desktop is used. Remember that before, JumpNode was the one that had to know how to get into Desktop.
The reason for this is that they work differently: the command line connects to JumpNode, then starts an ssh connection inside that which connects to Desktop, whereas ProxyCommand just establishes a connection from the Server through JumpNode to Desktop, through which another ssh session will then connect to Desktop. This is also why there is no username: authentication happens at the level of the final ssh connection, not the proxy level.
Let's hope ProxyJump will soon be available everywhere!