On Using Meerkat to Work on Remote Hosts Behind Firewalls
I’ve written about using ExpanDrive to work with files on remote hosts from Mac OS.
I work on a number of hosts that are protected behind firewalls and have to be accessed from a bastion host. In my examples, I will assume the bastion host is called bastion.external and the protected host is called protected.internal. In order to log in to the protected host, I need to log in to the bastion host and then once again into the protected host:
ssh -A bastion.external ssh protected.internal
SSH can handle this fine, especially with password-less authentication. You can also configure your .ssh/config file to use netcat to bounce the connection straight from the bastion host to the protected host.
The problem is that ExpanDrive cannot access the protected host, and working on remote hosts without ExpanDrive is unpleasant.
So, let’s solve this using SSH port forwarding. We will forward port 50022 in the local host to port 22 on the protected host using:
ssh -N bastion.external -L 50022:protected.internal:22
Once we have done this, connections on port 50022 on the local host are forwarded to port 22 (the standard SSH port) on the protected host. The local port number does not have to be 50022, but it’s a private port and a good mnemonic for the standard SSH port.
We can now use SSH to connect to the protected host via the local port:
ssh localhost -p 50022
We can also access the file system on the protected host using ExpanDrive. We simply use localhost for the server and specify the appropriate local port (50022 in this example).
If we need access to more than one protected host, we simply forward a different local port for each.
Now, this is all well and good, but setting up forwarded ports and remembering port numbers is a bit messy. Let’s clean up things up.
First, we will use Meerkat to automatically handle port forwarding. In Meerkat we configure accounts on each bastion host and forwarded ports (or “tunnels”) on each account. We arrange for Meerkat to open at login. Meerkat works seamlessly with Keychain Access to provide password-less authentication. Meerkat is not perfect; it does not automatically maintain connections when local computer sleeps. Meekat costs $20 and is available with a 14-day trial licence.
Second, we will add the following lines to .ssh/config to configure an alias for the protected host:
Host protected
Hostname localhost
Port 50022
Once we have done this, SSH, SCP, SFTP, and RSYNC know that the alias refers to the correct port on the local host. We can enter the protected host simply using
ssh protected
Notes
There are alternatives to Meerkat. However, I found SSHKeychain to be unstable and both iSSH and SSH Tunnel Manager do not appear to support password-less authentication.
November 19th, 2008 at 23:13
Hi and thanks for the Meerkat recommendation. I would like to point out that connections should be re-established after computer wake and if this isn’t happening, to check out the preference setting for the wait period after network transitions. It defaults to five seconds, but depending upon network specifics, could benefit from being set higher. What should happen is that after X seconds of no change in network status, the tunnels should attempt to reconnect.