Reverse proxying SSH...

[Joedetic]

First off apologies...because this isn't going to be worded too well. Now......

Does anyone know of a quick and cheap way to implement reverse proxying for SSH servers?

For example....with apache you can build it with proxy modules so that you can have multiple web servers on port 80 in effect (or so it appears to the end user). So you have setup a name based vhost to forward requests for cname.domain.tld to another server that isnt directly published to the web.

So if i've got several ssh servers internally that i'd like to be accessable to the web all on port 22, is there something that i can do like the name based vhosts and proxying for apache to set this up with openSSH server?

I was thinking something like m0n0wall or pfsense but i dont know if they support this and i couldnt find anything saying that they do.

And oh yh...i dont have ISA

[webman]

Have one of them facing externally to SSH in to, and then use port tunnelling to access any others. Or just run ssh client on that one to login to other servers.

[Geoff]

Yep, I'd go with that. I think SSHing into your gateway/firewall then re-SSHing into whatever box is probably the simpler method.

[tom_newton]

Can't say as I have ever seen this done, though there's no (network) reason it couldn't, but probably your easiest solution is a "middleman" ssh server - bit of a pigdog for scp though.

[Joedetic]

Hmmm. That was the thing i wanted to avoid. Never mind. I'll just setup a freeBSD jail so that i don't have to have tonnes of boxes running


Cheers guys.

[tom_newton]

Hang on - just spotted this:
http://penguin.fr/sshproxy/about.html
which may or may not be a partial solution

Other option: vpn then ssh - obviates the need for another server, initial connection is less graceful, but once you're in, it's the mutt's nuts.

[Geoff]

bit of a pigdog for scp though.

What's wrong with:

Code:

scp ~/somefile.tgz me@proxy:root@remote-site:~/somefile.tgz

?

[tom_newton]

Geoff: sod all by the looks of things - though I will admit, I never knew you could do that... useful for scp'ing to my home desktop, as the pf only goes to my fs.