[CoLoCo] ssh but kind of a mac question so please forgive
Kevin Fries
kfries at cctus.com
Thu Sep 25 18:30:42 BST 2008
Sorry for top posting... f-ing outlook web connector
the "ssh -p u -L v:w:x y at z.com" command should be read as such:
- Connect to z.com as user y on port u
- Once connected, create a tunnel to machine at ip (or name resolved to an IP at the remote machine) w port x
- For the local side of the tunnel, listen on port v.
the effect of this can be explained in more simple language as:
ssh will attempt to login to the sshd server at z.com as user y (user RSA keys to automate the login) that is listening on port u. Once the connection is established, it will build a tunnel that will transport all traffic unchanged from local desktops port v to the server. Once the traffic gets to the server, it will then be forwarded to a service on machine w port x unaltered as if the user had done so from that remote machine. It is assumed that there will be a machine at w listening on port x that will then know what to do with the request.
If you want more than one port forwarded, you can add more then one -L option to the command line. The sshd server and the machine hosting the service could be the same machine, or different machines depending on your network. So, lets get stupid with an example, and use your 5151 as the listening port to show how this command can grow to something super powerful.
* SSHD server is called vpn.example.com
* SSHD server is listening on port 5151
* You have an account on that remote machine called Jim
* You are using the the RSA key at /users/jim/.ssh/mykey
* None of the other machines (below) have public IP addresses.
* We are trying to tunnel several protocols to make a remote user appear local
* We want to forward IMAP4 trafic to a server called mail
* We want to forward SMTP traffic to a server called mail
* we want to forward LDAP traffic to a server called domain
* we want to forward web traffic for the standard web to a server called intranet
* we want to forward web traffic for Sugar CRM to a server called sugar
* we want to forward webmin traffic to the ssh machine even though webmin does not bind to any port other than localhost.
Pretty crazy huh? Lets also assume that the intranet and sugar machines are two different machines. Therefore, you can not blindly forward all port 80 traffic to either machine. So, for the sugar machine, we will set the local port to 81, even though the remote server is still on 80. The port difference will be fixed in the SSH tunnel, and you can once again blindly forward all traffic for a port to a specific machine. Also, even though webmin is inaccessible from any machine other than the sshd server it is on, that is OK, because the tunnel makes it look like all traffic is originating from the SSHD server. Therefore, just forward to localhost, and a service that was once inaccessible is now accessible. I will also assume that the local machine is also running webmin, so you can not bind to port 10000 locally since your local instance of webmin will be bound to that port.
Well just like trying to eat an elephant, just do it one byte at a time.
(again, split on multiple lines for readability, type all in one line)
sudo ssh
-p 5151
-i /users/jim/.ssh/mykey
-L 143:mail:143
-L 25:mail:25
-L 389:domain:389
-L 80:intranet:80
-L 81:sugar:80
-L 10001:localhost:10000
jim at example.com
Like I said, crazy, but I have used tunnels like this before, and once set up, they work great. I tried to put as many situations into one connection as possible, so this is a pretty intense example. There are two situations I did not cover: relaying through more than one machine (lets say the internal mail server ran webmin only on localhost like the sshd server did, but did not have a public IP (local only mail)); and how to change this command to run automatically via inetd (look at -N and -q switches). But I thought I would leave some fun for you to struggle with yourself, lol
Take Care
Kevin
________________________________________
From: ubuntu-us-co-bounces at lists.ubuntu.com [ubuntu-us-co-bounces at lists.ubuntu.com] On Behalf Of Jim Hutchinson [jim at ubuntu-rocks.org]
Sent: Thursday, September 25, 2008 10:23 AM
To: Ubuntu Colorado Local Community Team
Subject: Re: [CoLoCo] ssh but kind of a mac question so please forgive
On Wed, Sep 24, 2008 at 7:00 PM, Kevin Fries <kfries at cctus.com<mailto:kfries at cctus.com>> wrote:
Jim,
SSH is just port forwarding. It has no concept of protocols. In short, it's just a dumb translator.
If you want other ports forwarded, forward them.
I have never used the notation you are, instead I use the forward local notation, and I don't have a reference in front of me... So please translate this to what you want. But if I was trying to ssh tunnel 80 and 443 I would enter something like:
ssh -L 80:localhost:5151
-L 443:localhost:5152
<mailto:user at example.com> user at example.com<mailto:user at example.com>
All on one line of course.
Kevin,
Thanks for the info. Here is what I tired. Because my ssh listens on port 5151 I have to use the -p option. Not sure if that means I need to change the part after localhost or not. I used sudo because it says I have to for use of privileged ports.
sudo ssh -i /path/to/key -p 5151 -L 80:localhost:5151 user at remote.host
It didn't work. By which I mean that it made the ssh connection just fine, but traffic on port 80 is not tunneled (I tested by going to a "what's my ip" site and it's not my home ip as it is when tunneled). Of course, I'm assuming that if I open a browser and go to www.google.com<http://www.google.com> that it will be sent over port 80 from the computer. Do I have any guarantee that this happens? Maybe there is something wrong with the ssh syntax or maybe I need to use a different port other than the ssh connection port for the localhost:5151 part.
Any thoughts? Thanks.
--
Jim (Ubuntu geek extraordinaire)
----
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
More information about the Ubuntu-us-co
mailing list