Breaking
Bearfruit

Connecting to firewalled hosts using PuTTY SSH

Maybe this fits your description:

  • You have a network of computers (or one computer) protected by a firewall of some sort
  • You want to be able to ssh into those computers
  • Your firewall runs Linux or some other OS that has OpenSSH on it.

If your personal computer that you’re running SSH from is Linux or has OpenSSH on it, this is a piece of cake (I’ll explain further below). But if you’re using Windows and PuTTY then it can be a bear to get setup.

Scenario:

  • You’re using Windows and PuTTY SSH.
  • The computer that is acting as your firewall is named middleman and runs a modern Linux and OpenSSH server
  • The computer that you want to talk to is named private1 and is on a private network. You’d also like to talk to other computers on that private network. They’re named private2, private3 and private4.
  • middleman has a public IP address, 11.22.33.44
  • private1 has a private IP address, 192.168.0.101 (and private 2, 3, 4 are 102, 103 and 104)

Just a note: You need nearly the full PuTTY package, puttygen, pagent, plink and putty.

Step 1 – Set Up Public Key Encryption

Before any of this will work, you need to be using public key encryption. I will probably create a tutorial on this in the future, but for now, follow the instructions readily available on the net, a good set can be found at howto forge. If you’re already using putty but not public keys, then everything you need is on page 2 of that tutorial.

I strongly suggest using a password for your key. Also, backup your keys to a secure location. When you generated a private and public key pair you had the option to copy the “Public key for pasting into OpenSSH authorized_keys file” (see the highlighted text in the image below).

 

Ensure you keep this highlighted text handy. You may want to open a blank notepad document and paste it in there temporarily

Now, and this is a critical step, you must setup the ssh agent, aka pagent. If you don’t have pagent running and you haven’t loaded it with your private key, steps 2 – 5 below will not work. Believe me, I’ve tried.

Right click your desktop somewhere and choose new -> shortcut. Browse to find pagent.exe, it’s (probably at C:Program FilesPuTTYpagent.exe) and hit next. Give it a name, I call mine ssh-agent and hit finish.

Now right click the newly created shortcut and choose properties. See the editable text field called “Target?” You’ll probably see quotes around the path in there. After the last quote, enter the full path to your private key. This is a file that ends in ppk. If you have more than one private key you can enter them one after another. If the filename to your private key has spaces in it, then you’ll need to wrap quotes around it. One way to get the full path to your private key is to right click your key and choose “create shortcut.” Then you can right click the shortcut, view the properties and get the full path to your key. The end result looks something like this: “C:Program FilesPuTTYpagent.exe” “C:Document and SettingsUsernameMy DocumentsMy Key.ppk” Make sure to click OK to save your changes to the shortcut.

Now when you double click your shortcut pagent will run and load your private key. If you have a password on your key then you’ll be asked to type it in. If you haven’t a password then you’ll see nothing. Don’t panic because except for a possible password prompt, nothing visible should have happened. You can check that things are ok by opening task manager and looking to see if pagent is running.

If you use ssh a lot, you can put this new shortcut in the Start Up folder for Windows. I personally hate being hit with a barrage of password prompts when I login, but the choice is yours. Just remember that this program needs to be run once after you login to Windows but before you use your ssh connection.

Step 2 – Connect to the middleman

Create a new connection to your firewall computer, the one we’re referring to as middleman. Important: When you save this session, give it a name without spaces. This isn’t critical but it makes life easier. If you don’t do this, you’ll have problems with my tutorial. If you wouldn’t normally want or need to connect to this host then you may want to give it a name that starts with the letter z so that it falls to the bottom of the list of connections in putty.

Important Settings:

  • autologin username in Connection -> Data – provide the username you use to login to middleman
  • Check mark allow agent forwarding in Connections -> SSH -> Auth
  • Choose the location of your private key in private key for authentication in Connections -> SSH -> Auth

Don’t forget to save your session. You’ll need it later. Make a note of the name you give it. I’ll assume you’re calling it zmiddleman.

Try your session out. If you get prompted for your password you probably need to add your public key, the one I suggested copying into a notepad document, into your .ssh/authorized_keys file.

Here’s how I do this: once logged into middleman, try using ssh to connect to some computer, even localhost. You’ll get prompted to verify the ssh key signature for the host. Accepting the key will create your .ssh folder with the correct permissions. Then use some editor to paste your key into the bottom of the file on it’s own line. Vi or nano are popular editors (but if you use nano, start it with the -w option or you’ll butcher your lines). Its ok if you have some extra blank lines. Make sure to save your changes. Exit and try to login again. If you get prompted for a password again, something is wrong, ask for help.

If you get prompted for a username, you didn’t follow my instructions… you need to enter a autologin username in the Connection –> Data section of PuTTY.

Don’t move onto the next step until you can connect to this host without being prompted for anything. You should not have to enter a username or a password or anything else.

Step 3 – Use plink

Plink is a console based ssh client that comes with Putty. It’s not pretty. Once you have the above steps working, we need to make sure plink works. Open a command prompt (try Start -> Run -> cmd) and then go to the folder where you installed Putty (try cd “C:Program FilesPuTTY”).

Type plink -load zmiddleman (or whatever you named your session).

You should be logged into your firewall now. Did it work? Great, go to the next step. If it didn’t work ask for help, something unusual is happening.

Step 4 – Connect to the firewalled host from the firewall

Go back to putty and login to your middleman host. Now you need to be able to ssh from here to your final destination. The one we’re referring to as private1. At this point, a lot of variables come into play, and its hard to write a tutorial that covers all of them.

Once logged into middleman, you’ll need to be able to ssh into private1 without being prompted for anything. This could be as simple as typing the command (assuming again that 192.168.1.101 is the IP for private1):

ssh 192.168.1.101

If that works, skip to the next step. If not, or if you want to do some tweaking, read on.

If you get prompted for a password and entering your password allows you to login, follow the steps I explained above to paste your public ssh key (the one you copied into notepad) into .ssh/authorized_keys

You must get this step working. So if you have a different username then try

ssh username@192.168.1.101

If this works but you get prompted for a password and then you’re able to login, then follow the steps outlined above to add your key to .ssh/authorized_keys.

We’ll make life easier by creating a shortcut to private1 which includes the username. This shortcut goes into .ssh/config (which may need to be created). So, using your favorite editor edit .ssh/config and add these lines (make sure to change the relevant items to match your setup):

Host private1 HostName 192.168.1.101 User username ForwardAgent yes

The last line is optional. Save your changes and then try logging in using your shortcut. The shortcut is named, in my example, private1, but in your example something else.

ssh private1

You should be logged into private1 now without being asked for a password or anything else. If not, ask for help.

Step 5 (final step) – Create your connection to private1

Almost done! Now, exit out of your current connection and open putty. We’ll create a new connection.

  • For hostname, use your private lan IP address. i.e. 192.168.0.101
  • Connection -> Data – enter your correct username for private1 in Auto-login username
  • Connection -> SSH -> Auth – Choose your private key (you may like to enable “allow agent forwarding”)
  • Connection -> Proxy – This is the magic! do the following:
  • Proxy type = Local
  • Telnet command or local proxy command = plink -load zmiddleman -nc %host:%port

Save your session and then connect. If everything went as expected, you should now be able to ssh into your hosts on a private lan. Repeat step 5 for all your hosts.

Special instructions for Mac or Linux users

If you’re not using Windows and Putty (or if you use Windows but use cygwin’s openssh) then you get to do things much simpler. You simply edit .ssh/config and add a block like this:

Host private1 User username (change this) HostName 192.168.0.101 ForwardAgent yes ProxyCommand ssh username@middleman nc -q0 %h %p

Now you can ssh into private1 by typing the command

ssh private1

On some versions of Linux (Ubuntu for example) you can even use tab completion for hosts who are specified in your .ssh/config.

Questions? Problems? Praise?

Please leave comments. Be cautious – don’t give away information that could hurt the security of your network.

Pin It