Situation: 3 Machines

1. home
2. public shell
3. office

I have openend a tunnel with remote port forwarding from my office machine to a public shell server to make the office machine's ssh server accessible there - let's say on port 2222.

On my home machine I have created a keypair of id_rsa and id_rsa.pub and added it's pubkey to the authorized_keys file on my office machine - on my home machine I added id_rsa to the ssh-agent.

Then I ssh-ed from my home machine over the public shell server to my office machine, but without to stop with an interactive shell on the shell server. The command I used to do so is

ssh -i ~/.ssh/id_rsa -A -t  <user>@<shell-server> 'ssh -i id_rsa rtrulsen@localhost -p 2222'

With the -i option we instruct the client to use the id_rsa key for authentication, with -A to forward the agent. By doing this the client on the shell server uses the forwarded agent and can use the keys that were added to it. It drops a warning "Identity file <name> not accessible: No such file or directory.". This is because agent forwarding - of course - has got its own security risks, because an attacker could use the loaded keys. At least this is much more secure compared to copy the keys on a machine that's publicly accessible.

Terms:

• Local machine: Your workstation from that you'd like to access the target machine
• Shell server: The publicly reachable machine that you use as point in the middle of local machine and target machine
• Target machine: The machine that you'd like to work on

1) Open a reverse ssh-tunnel from the target machine to the shell server

ssh -R 12345:localhost:22 (options) <account-name>@<shell-server>

• -R is the option to open a reverse tunnel
• 22 is the port that your SSHd on the target machine is listening on.
• 12345 is the port you want later to use to access your target machine from the shell server.

2) From your local machine connect to the shell server

ssh <account-name>@<shell-server>

This is the usual way you connect to the shell server.

3) From the shell server connect to the target machine

ssh <account-name>@localhost -p 12345

Here <account-name> is the UNIX account that you have on the target machine and 12345 the previously defined port to access target machine over the reverse tunnel.

That's it.

Prerequisites for this:

• Access to a shell host somewhere to log in using ssh
• A configured and running tor daemon on your local machine
• netcat installed on your local machine

Example ~/.ssh/config entry without tor:

Host shell
  User rebeka
  IdentityFile ~/.ssh/shell
  Hostname shell.somedomain.tld

To open an ssh connection with the configuration block above you would fire up ssh shell in your shell.
To let this go through tor append the following to the ssh config block above:

ProxyCommand /usr/bin/nc -x localhost:9050 -X5 %h %p

• -x means to use proxy protocol which could be SOCKS4, SOCKS5, or connect which is an HTTPS proxy and SOCKS5 is usually used per default.
• -X5 specifies SOCKS5 explicitely
• %h expands to the hostname to connect
• %p expands to the port

A list of all available tokens with description can be found in the tokens section of ssh_config(5)