> We don't control the firewall as it is under the control of our customers.
> As it is I'm trying to figure out how to configure an OpenSSH client to punch out through the firewall to an OpenSSH server, then immediately turn around and provide a shell to the server. This seems to be entirely contradictory to how OpenSSH is designed, but I'm hopeful I can hack something together.
This is trivial. But if you don't control the firewall, how will you get the outbound SSH access? PCI requires that both inbound and outbound traffic from the secure zone (CDE) be controlled. If you can impose upon the customer that they punch an outbound hole, you can impose inbound requirements as well. Your inbound connection does not come from "the public internet", it comes from your managed in-scope network.
> As it is I'm trying to figure out how to configure an OpenSSH client to punch out through the firewall to an OpenSSH server, then immediately turn around and provide a shell to the server. This seems to be entirely contradictory to how OpenSSH is designed, but I'm hopeful I can hack something together.
This is trivial. But if you don't control the firewall, how will you get the outbound SSH access? PCI requires that both inbound and outbound traffic from the secure zone (CDE) be controlled. If you can impose upon the customer that they punch an outbound hole, you can impose inbound requirements as well. Your inbound connection does not come from "the public internet", it comes from your managed in-scope network.