Today I have an interesting problem, a customer in Melbourne has some issues with their Linux box and I would like to log in and fix them. The only problem is, their machine is behind a firewall and NATed to a 192.168.0.x address. The obvious solution would be to use port-forwarding on the firewall but that would involve a lengthy argument with their IT department so here is another way to do it using an SSH reverse tunnel.

This technique requires the cooperation of the customer which is good in a way because they get to control when I have access.

I should note at this point that this technique is based on the one mentioned here on the Gentoo forum.

First I set up a non-privileged account on my linux server which has a public IP address. Then I email this little script to the customer:

#!/bin/sh
ssh -R 10000:localhost:22 doofus@doctort.org

Once they have placed the script on their server and run it (they also need to type the password for the doofus account), I can log into their machine by typing this: (I need to know the root password for their box of course)

ssh root@doctort.org -p 10000

This will actually log in as root on their box. SSH is wonderful don’t you think ?

UPDATE 31-May-2007

I recently had to do this on a server running Debian Etch. In Etch, the tunnelling feature is turned off by default thus preventing this technique from working. To enable tunnelling, you need to edit the file /etc/ssh/ssh_config and add the following line:

   Tunnel yes

Then you need to restart the ssh daemon by typing this:

/etc/init.d/ssh restart