6

So, I have a script setup to automatically open a SSH connection to my server, and reverse port forward a port to me for SSH connections to my home desktop. This script has always worked until now that I've migrated servers.

The short of it is that I can't get this connection to bind on the external IP address, and I'm not sure why.

The script basically runs this command (I can confirm that this command with my values subbed in has the same result when run from a shell):

sudo autossh -M 5114 -D 7474 -R servers_public_ip:2695:localhost:22 -i /home/user/.ssh/id_rsa2 remote@servers_public_ip

When I check lsof, I see the following connections bound for the remote user:

sshd      27570   remote    3u  IPv4 161761      0t0  TCP servers_public_ip:22->67-213-103-227.eastlink.ca:62812 (ESTABLISHED)
sshd      27570   remote    7u  IPv6 161773      0t0  TCP ip6-localhost:5114 (LISTEN)
sshd      27570   remote    8u  IPv4 161774      0t0  TCP localhost:5114 (LISTEN)
sshd      27570   remote    9u  IPv6 161777      0t0  TCP ip6-localhost:2695 (LISTEN)
sshd      27570   remote   10u  IPv4 161778      0t0  TCP localhost:2695 (LISTEN)

None of these bindings are on the servers public ip, save for my ssh connection to the server to run lsof. This worked fine on my old server. I've checked sshd_config and turned on AllowTcpForwarding explicitly. I'm running out of ideas.

Craige
  • 311
  • 1
  • 2
  • 5

2 Answers2

15

I hate when this happens, but after a little more research, I'm able to answer my own question.

It seems that sshd_config needed to have GatewayPorts yes to bind to external addresses. I must have missed this when porting over the configurations.

Craige
  • 311
  • 1
  • 2
  • 5
  • don't forget to reset ssh service after changing sshd_config: sudo service ssh restart. (be careful about changing ssh config as any error in config could result in ssh server not starting and loosing connection to server) – HamedH Aug 08 '20 at 16:37
  • 1
    Warning: if you set GatewayPorts to yes this will make sshd bind your forwardings to any interface - regardless of the client configuration (-R, etc.). This can become quite a security issue if the client assumes she has limited her forwardings to f.e. localhost. Therefore, setting GatewayPorts to `clientspecified` is usually what you want. More details on the perils here: https://unix.stackexchange.com/questions/693885/hardening-reverse-ssh-tunnel-via-jump-host – oligofren Mar 10 '22 at 14:19
6

In order to make it bind to all interfaces, use:

ssh -N -R 0.0.0.0:2695:localhost:22  root@example.com

Don't forget to edit /etc/ssh/sshd_config and go to GatewayPorts and enable it and set it to yes

Mohamad Osama
  • 189
  • 1
  • 2
  • 1
    Welcome to ServerFault. OP seemed to have already answered his / her own question. – Pothi Kalimuthu Apr 14 '18 at 10:40
  • 1
    You almost never want to set it to `enable`. If you set GatewayPorts to yes this will make sshd bind your forwardings to any interface - regardless of the client configuration (-R, etc.). This can become quite a security issue if the client assumes she has limited her forwardings to f.e. localhost. Therefore, setting GatewayPorts to clientspecified is usually what you want. – oligofren Mar 10 '22 at 14:18