Daemian Mack home

Setting up a reverse SSH tunnel

June 7, 2013

Scenario: you want to allow Fred SSH access to your local machine and, for whatever reason, cannot expose your local SSH port to the public Internet.

   +----------------+
   |                |
   |    Yourbox     |
   |                |
   +----------------+

You can establish a reverse SSH tunnel to a remote machine (a “jumphost”) that can expose its local SSH port to the Internet.

A. SSH to jumphost with a reverse tunnel pointing jumphost’s port 1234 back to your port 22.

Yourbox$ ssh -R 1234:localhost:22 you@jumphost

   +----------------+
   |                |
   |    Yourbox     |
   |                |
   +----------------+
           |
           |
         A |
           |
          \|/
   +----------------+
   |                |
   |    Jumphost    |
   |                |
   +----------------+

B. Have Fred SSH into jumphost.

Fredbox$ ssh you@jumphost

   +----------------+
   |                |
   |    Yourbox     |
   |                |
   +----------------+
           |
           |
         A |
           |
          \|/
   +----------------+
   |                |
   |    Jumphost    |
   |                |
   +----------------+
           /|\
            |
            | B
            |
            |
   +----------------+
   |                |
   |    Fredbox     |
   |                |
   +----------------+

Fred can then use that reverse SSH tunnel to access your local machine.

C. On Jumphost, Fred SSHs to the local port 1234, which is then forwarded over the tunnel to yourbox.

Jumphost$ ssh -p 1234 you@localhost

   +----------------+
   |                |
   |    Yourbox     |
   |                |
   +----------------+
          | /|\
          |  |
        A |  | C
          |  |
         \|/ |
   +----------------+
   |                |
   |    Jumphost    |
   |                |
   +----------------+
           /|\
            |
            | B
            |
            |
   +----------------+
   |                |
   |    Fredbox     |
   |                |
   +----------------+

I’ve referenced the you user account here for illustrative purposes, but rather than handing out that account’s password, putting Fred’s SSH pubkey into your ~/.ssh/authorized_keys for the duration of the session would be more convenient for everybody.