Bypassing AllowTcpForwarding no

Consider two machines foo and bar with the following hypothesis:

  • they both have a OpenSSH client and server
  • foo can connect to bar, while bar cannot connect to foo
  • bar have TCP forwarding disabled (AllowTcpForwarding no in sshd_config)

We want to forward the 8080 port of foo to the 8090 port of bar. So basically, if TCP forwarding was allowed:

foo$ ssh -R 8090:localhost:8080 bar

To by-pass the TCP forwarding interdiction we can use the stdin/stdout stream which is created by each ssh connection. To do so we need a tool like socat which allow to create double direction pipes between many things including TCP and stdin/stdout. socat must be installed on both machine. First create a remote_socat shell script on foo with:

ssh bar socat TCP-LISTEN:22003,reuseaddr STDIO

Then run:

foo$ socat TCP:localhost:22 EXEC:./remote_socat


bar$ ssh -p 22003 -L 8090:localhost:8080 localhost

#socat, #ssh