This worked for me. I've explained this as best I can, but clearly I only have a tenuous grasp of how it's working, so suggestions for corrections or improvements are welcome.
To establish an ssh connection to (first, from) a remote machine behind third party firewall, with no pre-existing setup on the remote machine (other than in assumptions below). This could be due to circumstances described in the OP, or perhaps remote machine is on hotel or coffee shop etc. wifi. I (nedlud) wish to provide remote assistance to (christine).
Assumptions:
- The remote machine has a public IP, which may be unknown to you.
- An ssh server is running on the remote machine, which may be on a non-standard port, allowed by the remote machine's internal firewall.
- Remote machine ssh server is configured for password authentication and you know the username and password of the remote user, or for public key access and you have the private key.
- The remote user can open a terminal and copy/paste, or type a string, but nothing more technical.
LOCAL machine:
hostname: lutyens
username: nedlud
ssh port: 33022
dynamicdns: nedlud.ddns.net
In my case host (lutyens) is a VM with password authenticated ssh, to avoid having to change anything on main machine, and to make things simpler for (christine)
REMOTE machine:
hostname: x1-laptop
username: christine
ssh port: 55022
From remote host (x1-laptop), user (christine) runs in terminal the string that (nedlud) has sent her by email or other means:
Code:
christine@x1-laptop:~$ ssh -f -N -p 33022 -R 2222:localhost:55022 nedlud@nedlud.ddns.net
nedlud@nedlud.ddns.net's password:
christine@x1-laptop:~
christine@x1-laptop:~$ ls .ssh | grep key
christines-key-on-x1-carbon.id_ed25519
christine@x1-laptop:~$
ssh options with extracts from man ssh:
-f Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background...
-N Do not execute a remote command. This is useful for just forwarding ports...
-p 33022 Port to connect to on the remote host. (i.e. remote from host (x1-laptop) in this example, i.e. your local machine (lutyens). ssh is on port 33022. Omit for standard port 22).
-R 2222:localhost:55022 x1-laptop [bind_address:]port:host:hostport - 2222 is arbitrary, any non privileged port (above 1024). (x1-laptop) ssh is on 55022. Use 22 for standard ssh port 22.
(nedlud) checks it worked:
Code:
nedlud@lutyens:~$ netstat -tulpn | grep 2222
tcp 0 0 127.0.0.1:2222 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:2222 :::* LISTEN -
nedlud@lutyens:~$
(nedlud) can now ssh to (x1-carbon) with:
Code:
nedlud@lutyens:~$ ssh -p 2222 christine@localhost
christine@localhost's password:
christine@x1-carbon:~$
OR
Code:
nedlud@lutyens:~$ ssh -p 2222 -i .ssh/christines-key-on-x1-carbon.id_ed25519 christine@localhost
Enter passphrase for key '/home/nedlud/.ssh/christines-key-on-x1-carbon.id_ed25519':
christine@x1-carbon:~$
Or as in OP, (nedlud) can now browse via (x1-carbon) with proxied browser on whichever LAN (x1-carbon) is on, e.g. to access router firewall config page and establish port forwarding to enable direct ssh to (x1-carbon), initiated from (lutyens) as usual and provide remote assistance.
Code:
Manual proxy configuration:
SOCKS Proxy 127.0.0.1 Port 24080
check the box for "SOCKS v5"
Code:
nedlud@lutyens:~$ ssh -D 24080 -f -C -q -N -p 2222 christine@localhost
christine@localhosts's password:
nedlud@lutyens:~$
ssh options with extracts from man ssh:
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port
on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application protocol is then used to determine where to
connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a
SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the con‐
figuration file.
-f Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background...
-C Requests compression of all data...
-q Quiet mode. Causes most warning and diagnostic messages to be suppressed.
-N Do not execute a remote command. This is useful for just forwarding ports...
-p 2222 christine@localhost specifies the arbitrary port used for the reverse tunnel established from (x1-carbon)