This is a short introduction to SSH tunnelling (also known as "port
forwarding"). It describes with some simple examples how a user can
establish an apparently direct connection to any machine in the
Garchinger Campus, despite the newly enforced restricted access to a selected
number of machines.
Let's define our sample setup: We have a PC at home called mypc. We
want to connect to a computer in Garching called work, but we are
only allowed to connect to a gateway machine called gate:
The normal way would be a two step process: first connect from
mypc to gate and then from gate to
work. Let's see how a tunnel can help:
Case 1: From a Unix-like machine
The following refers to OpenSSH 2.x and 3.x:
On mypc we execute this command:
ssh -l myuserid -L 7777:work:22 gate cat -
This means: open an ssh connection as user myuserid to host
gate and execute the command cat -. While the session is
open, redirect all connections to port 7777 on the local machine to
port 22 on machine work.
Now we can use any SSH command (ssh, slogin, scp,
sftp) to connect directly to work through the
tunnel. For example:
ssh -p 7777 localhost uname -a
slogin -p 7777 localhost
scp -p -P 7777 localhost:data/file1.txt .
sftp -oPort=7777 localhost
How it works:
The ssh process on the local machine mypc establishes an
SSH connection with the sshd server process on the gateway
machine gate. It uses the well-known port 22 on the
server side and some free port on the local machine, e.g. 605. In
addition, because we have used the -L option, the local
ssh process accepts local connections to port 7777 and
sends all data received on this port through the other port 605
to gate with some marking "this is from tunnel 7777". The
gateway gate has been informed through the -L option
that, whenever it receives data marked with "this is from tunnel
7777", it has to open a connection to host work on port 22 and
send it that data:
Some remarks:- The cat - command in the first ssh command is there only to
keep the connection open. Any other command which does not finish
could be used. It could be left blank, too, thereby opening a shell,
but then you need a controlling terminal and cannot use the ssh
command in a script. - You can use any port above 1024 and below 32768 for the -L option.
- If you need to connect to several machines, then just specify more
-L options in the first ssh command, one per machine, each with
a different local port. For example:
ssh -l myuserid -L 7777:work1:22 -L 7778:work2:22 -L 7779:work3:22 gate cat -
then use ssh -p 7777 localhost to connect to work1,
ssh -p 7778 localhost to connect to work2, etc. - You can also redirect to other remote ports. For example, if
machine work accepted telnet connections (port 23), then
you could prepare the tunnel with:
ssh -l myuserid -L 7777:work:23 gate cat -
and then just telnet to work with this command:
telnet localhost 7777
The port numbers of usual network services can be found in file
'/etc/services'. - You can write a small script to setup the SSH tunnel for all
connections you normally need and call that script automatically every
time you connect from home to the Internet. - You can define aliases for connections which you need very
often. For example, if you do (in a tcsh):
alias sshwork 'ssh -p 7777 localhost'
then you can simply do things like:
sshwork uname -a
sshwork ps -ef
sshwork (to login) - With some more complex aliases or shell scripts you can almost work
as with a direct connection. For example, if you do:
alias ssh \
'set target=`echo \!^ | sed -e "s/work/-p 7777 localhost/g"` ; \
/usr/local/bin/ssh $target \!:2*'
then you can do:
ssh work ps -ef - If you use the -v option for the ssh command which prepares
the tunnel, then you can see in its output whenever a connection is
established through the tunnel (and other debug messages).
- The cat - command in the first ssh command is there only to
0 comments:
Post a Comment