On Using Meerkat to Work on Remote Hosts Behind Firewalls

• Alan Watson
• About Me
• Notes
• Colophon
• Comment
• Search

November 2008.

I’ve written about using ExpanDrive to work with files on remote hosts under Mac OS.

I work on a number of hosts that are protected behind firewalls and have to be accessed from a bastion host. In my examples, I will assume the bastion host is called bastion.external and the protected host is called protected.internal. In order to log in to the protected host, I need to log in to the bastion host and then once again into the protected host:

ssh -A bastion.external ssh protected.internal

SSH can handle this fine, especially with password-less authentication. You can also configure your .ssh/config file to use netcat to bounce the connection straight from the bastion host to the protected host.

The problem is that ExpanDrive cannot access the protected host, and working on remote hosts without ExpanDrive is unpleasant.

So, let’s solve this using SSH port forwarding. We will forward port 50022 in the local host to port 22 on the protected host using:

ssh -N bastion.external -L 50022:protected.internal:22

Once we have done this, connections on port 50022 on the local host are forwarded to port 22 (the standard SSH port) on the protected host. The local port number does not have to be 50022, but it’s a private port and a good mnemonic for the standard SSH port.

We can now use SSH to connect to the protected host via the local port:

ssh localhost -p 50022

We can also access the file system on the protected host using ExpanDrive. We simply use localhost for the server and specify the appropriate local port (50022 in this example).

If we need access to more than one protected host, we simply forward a different local port for each.

Now, this is all well and good, but setting up forwarded ports and remembering port numbers is a bit messy. Let’s clean up things up.

First, we will use Meerkat to automatically handle port forwarding. In Meerkat we configure accounts on each bastion host and forwarded ports (or “tunnels”) on each account. We arrange for Meerkat to open at login. Meerkat works seamlessly with Keychain Access to provide password-less authentication. Meekat costs $20 and is available with a 14-day trial licence.

Second, we will add the following lines to .ssh/config to configure an alias for the protected host:

Host protected
Hostname localhost
Port 50022

Once we have done this, SSH, SCP, SFTP, and RSYNC know that the alias refers to the correct port on the local host. We can enter the protected host simply using

ssh protected

Notes

There are alternatives to Meerkat. However, I found SSHKeychain to be unstable and both iSSH and SSH Tunnel Manager do not appear to support password-less authentication.

See Also

• On Using Meerkat …

Thanks

I thank Justin Miller, the author of Meerkat, for clarifying that Meerkat will attempt to reconnect after sleeping and waking.

Copyright © Alan Watson 2008