Reverse ssh connection (is it possible?)

I have my pc (natted but I can modify my firewall as needed) and I want to
connect to a pc behind a firewall (this is a friend's pc, his provider
gives him a private ip). I can ask him to type some commands, but I want
to be able to use his pc with ssh.

Is it possible to establish a connection from his pc to my pc (works now)
and then use that connection to allow me to control his pc?

Thank you,
Francesco.

Francesc0 wrote:

> I have my pc (natted but I can modify my firewall as needed) and I want to
> connect to a pc behind a firewall (this is a friend's pc, his provider
> gives him a private ip). I can ask him to type some commands, but I want
> to be able to use his pc with ssh.
>
> Is it possible to establish a connection from his pc to my pc (works now)
> and then use that connection to allow me to control his pc?

you could with remote port forwarding, see the man pages of ssh

here's an example:
[friend@friendspc]$ ssh user@franscescospc -R 11001:localhost:10000

With this connection open, you, Francesco, can connect to the service on
port 10000 (Webmin) on your friends pc:
[franscesco@francescospc]$ netscape http://localhost:10000


>
> Thank you,
> Francesco.

On Fri, 16 Apr 2004 12:52:43 +0000, David Lesaffre wrote:

>>[...]
>>Is it possible to establish a connection from his pc to my pc (works
>>now)
>> and then use that connection to allow me to control his pc?

So, you have a pc behind a firewall you control,
and your friend has a public (hopefully, not a private one)
from his provider.

The only thing you need is to know the ip address of your
friend and you can ssh right in...
In case he has a static ip address, you are set. In case
it is a dynamic one (which it probably is), you can
make use of a service like dyndns...

I hope you see: no problem at all

Peace,
Georg

P.S.: And dont fear the penguins!

Georg Armbruster wrote:

> So, you have a pc behind a firewall you control,
> and your friend has a public (hopefully, not a private one)
> from his provider.

Except that he mentioned that his friend has a private (NATed) IP address.
I'd suggest he bomb the ISP, but whatever...

You basically have two options.

Either:
(a) Run a VPN of some sort; this is recommended for later, but may be too
complex right now.
(b) Give your friend an account on your machine (the firewall machine will
do) and ask him to ssh -R 1234:localhost:22 to that account. (NOT -L as a
previous poster used.)

Then you just ssh to port 1234 not the machine he logged into. (Substitute
another >1024 number for 1234 if you need.)

Il Fri, 16 Apr 2004 17:55:12 +0200, Svein Ove Aas ha scritto:

> Except that he mentioned that his friend has a private (NATed) IP address.
> I'd suggest he bomb the ISP, but whatever...

This isp gives lots of bandwidth (up to 10Mb/s) but no public IP (you
have to pay a lot for it).

> You basically have two options.

I will try this, thank you everybody for the answers

Il Fri, 16 Apr 2004 17:55:12 +0200, Svein Ove Aas ha scritto:


> (b) Give your friend an account on your machine (the firewall machine will
> do) and ask him to ssh -R 1234:localhost:22 to that account. (NOT -L as a
> previous poster used.)
>
> Then you just ssh to port 1234 not the machine he logged into. (Substitute
> another >1024 number for 1234 if you need.)

Do I have to forward the 1234 port to my local machine in my firewall? I
think that I don't need this, right?

On Fri, 16 Apr 2004 17:55:12 +0200, Svein Ove Aas wrote:

> [...]
> Except that he mentioned that his friend has a private (NATed) IP address.
> I'd suggest he bomb the ISP, but whatever...
>
> You basically have two options.
>
> Either:
> (a) Run a VPN of some sort; this is recommended for later, but may be too
> complex right now.
> (b) Give your friend an account on your machine (the firewall machine will
> do) and ask him to ssh -R 1234:localhost:22 to that account. (NOT -L as a
> previous poster used.)
>
> Then you just ssh to port 1234 not the machine he logged into. (Substitute
> another >1024 number for 1234 if you need.)

Hi Svein,
you are right, I took the private IP address as a typo,
since I haven't heard of something like this before.
(that an ISP gives private ips).

So, my bad, I admit; your solutions sounds reasonable,
this should do.

Thanks for your corrections!
Peace,
Georg