Tuesday, November 20, 2007 at 10:25 AM |  




This is a short introduction to SSH tunnelling (also known as "port
forwarding"). It describes with some simple examples how a user can
establish an apparently direct connection to any machine in the
Garchinger Campus, despite the newly enforced restricted access to a selected
number of machines.


Let's define our sample setup: We have a PC at home called mypc. We
want to connect to a computer in Garching called work, but we are
only allowed to connect to a gateway machine called gate:





The normal way would be a two step process: first connect from
mypc to gate and then from gate to

work. Let's see how a tunnel can help:



  • Case 1: From a Unix-like machine


    The following refers to OpenSSH 2.x and 3.x:



    On mypc we execute this command:


    ssh -l myuserid -L 7777:work:22 gate cat -


    This means: open an ssh connection as user myuserid to host
    gate and execute the command cat -. While the session is
    open, redirect all connections to port 7777 on the local machine to
    port 22 on machine work.



    Now we can use any SSH command (ssh, slogin, scp,

    sftp) to connect directly to work through the
    tunnel. For example:


    ssh -p 7777 localhost uname -a

    slogin -p 7777 localhost

    scp -p -P 7777 localhost:data/file1.txt .

    sftp -oPort=7777 localhost





    How it works:



    The ssh process on the local machine mypc establishes an
    SSH connection with the sshd server process on the gateway
    machine gate. It uses the well-known port 22 on the
    server side and some free port on the local machine, e.g. 605. In
    addition, because we have used the -L option, the local

    ssh process accepts local connections to port 7777 and
    sends all data received on this port through the other port 605
    to gate with some marking "this is from tunnel 7777". The
    gateway gate has been informed through the -L option
    that, whenever it receives data marked with "this is from tunnel
    7777", it has to open a connection to host work on port 22 and
    send it that data:






    Some remarks:





    1. The cat - command in the first ssh command is there only to
      keep the connection open. Any other command which does not finish
      could be used. It could be left blank, too, thereby opening a shell,
      but then you need a controlling terminal and cannot use the ssh
      command in a script.



    2. You can use any port above 1024 and below 32768 for the -L option.



    3. If you need to connect to several machines, then just specify more
      -L options in the first ssh command, one per machine, each with
      a different local port. For example:

      ssh -l myuserid -L 7777:work1:22 -L 7778:work2:22 -L 7779:work3:22 gate cat -

      then use ssh -p 7777 localhost to connect to work1,

      ssh -p 7778 localhost to connect to work2, etc.



    4. You can also redirect to other remote ports. For example, if
      machine work accepted telnet connections (port 23), then
      you could prepare the tunnel with:


      ssh -l myuserid -L 7777:work:23 gate cat -



      and then just telnet to work with this command:


      telnet localhost 7777


      The port numbers of usual network services can be found in file
      '/etc/services'.



    5. You can write a small script to setup the SSH tunnel for all
      connections you normally need and call that script automatically every
      time you connect from home to the Internet.



    6. You can define aliases for connections which you need very
      often. For example, if you do (in a tcsh):

      alias sshwork 'ssh -p 7777 localhost'

      then you can simply do things like:

      sshwork uname -a

      sshwork ps -ef

      sshwork (to login)




    7. With some more complex aliases or shell scripts you can almost work
      as with a direct connection. For example, if you do:


      alias ssh \
      'set target=`echo \!^ | sed -e "s/work/-p 7777 localhost/g"` ; \
      /usr/local/bin/ssh $target \!:2*'

      then you can do:

      ssh work ps -ef



    8. If you use the -v option for the ssh command which prepares
      the tunnel, then you can see in its output whenever a connection is
      established through the tunnel (and other debug messages).
Posted by admin Labels:

0 comments:

Visit the Site
Privacy Statement
Copyright 2007, pirate-unsecure