Ssh Setup a SSH Tunnel: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(18 intermediate revisions by the same user not shown)
Line 2: Line 2:


* [[OpenSSH_Operations#Client_Operations|OpenSSH Operations]]
* [[OpenSSH_Operations#Client_Operations|OpenSSH Operations]]
* [[Amazon EKS Operations ssh Tunnel into an EKS NodePort Service]]


=Overview=
=Overview=


OpenSSH can be used to tunnel traffic from the local host to a remote host you have an account on.
OpenSSH can be used to tunnel traffic from the local host to a remote host you have an account on. For ssh tunneling concepts, see: {{Internal|OpenSSH_Concepts#Tunneling|OpenSSH Concepts - Tunneling}}


=Setting a Tunnel from a Local Port to a Port on a Remote Host=
=Setting a Tunnel from a Local Port to a Port on a Remote Host=


  ssh -f &#91;-p <''[[#remote-host-ssh-port|remote-host-ssh-port]]''> -i <''identity-file''>] <''remote-host-ssh-user''>@<''remote-host-address-on-which-ssh-is-exposed''> -L <''local-port''>:<''remote-host-interface-to-forward-to''>:<''port-on-remote-host''> -N
  ssh -f -N &#91;-p <''[[#remote-host-ssh-port|remote-host-ssh-port]]''>] [-i <''[[#identity-file|identity-file]]''>] \
  [''[[#remote-host-ssh-user|remote-host-ssh-user]]'']@<''[[#remote-host-address|remote-host-address]]''> \
  -L <''[[#local-port|local-port]]''>:<''[[#remote-host-interface-to-forward-to|remote-host-interface-to-forward-to]]''>:<''[[#port-on-remote-host-to-forward-to|port-on-remote-host-to-forward-to]]''>  
 
Options:
 
====-f====


The "-f" option tells ssh to go to background.  
The "-f" option tells ssh to go to background.  
====-N====


The "-N" option tells ssh to NOT execute any command on the remote system. If "-N" is omitted, the ssh tunnel will establish '''AND''' login.
The "-N" option tells ssh to NOT execute any command on the remote system. If "-N" is omitted, the ssh tunnel will establish '''AND''' login.
====-L====
The "-L" option specifies the tunnel details (local port, remote host interface, remote port, as described below).
====Other Arguments====


The meaning of other arguments is the following:
The meaning of other arguments is the following:


* <span id='remote-host-ssh-port'></span>-p <''remote-host-ssh-port''> may be used to specify a non-standard SSH port, if the SSH daemon on the remote host was configured to listen on a port other than 22.
* <span id='remote-host-ssh-port'></span>-p <''remote-host-ssh-port''> may be used to specify a non-standard SSH port, if the SSH daemon on the remote host was configured to listen on a port other than 22.
* <span id='identity-file'></span>-i <''identity-file''> may be used to specify a non-standard identity file, or the identity file for the remote user the connection is made for, if different from the local UNIX user that executes the command.
* <span id='remote-host-ssh-user'></span>''remote-host-ssh-user'' the user on the remote system the SSH connection is made on behalf of. IF missing, the UNIX user executing the command is implied.
* <span id='remote-host-address'></span>''remote-host-address'' the address of the remote system that runs the sshd daemon.
* <span id='local-port'></span>''local-port'' the local port for which incoming traffic will be forwarded over the tunnel
* <span id='remote-host-interface-to-forward-to'></span>''remote-host-interface-to-forward-to'' the interface on the remote host traffic arriving over the tunnel will be forwarded to. A good choice is 127.0.0.1, if the service we want to forward to listen on that interface. If we forward to 127.0.0.1, [[iptables]] will usually allow the forwarded traffic, as iptables is commonly configured to allow local traffic.
* <span id='port-on-remote-host-to-forward-to'></span>''port-on-remote-host-to-forward-to'' the port on the [[#remote-host-interface-to-forward-to|remote-host-interface-to-forward-to]] to forward traffic arriving on the tunnel to.
=Exit of Forward Failure=
If the "ExitOnForwardFailure" configuration option is set to "yes"', then a client started with -f will wait for all remote port forwards to be successfully established before placing itself in the background, or will exit with a non-zero exit code otherwise.
-o ExitOnForwardFailure=yes
=Connection Keep-Alive=
-o TCPKeepAlive=yes
-o ServerAliveInterval=30
=Example=
ssh -f -N -p 2022 -i /home/bob/.ssh/id_rsa bob@bobshost.com -L 873:127.0.0.1:873

Latest revision as of 05:16, 5 May 2021

Internal

Overview

OpenSSH can be used to tunnel traffic from the local host to a remote host you have an account on. For ssh tunneling concepts, see:

OpenSSH Concepts - Tunneling

Setting a Tunnel from a Local Port to a Port on a Remote Host

ssh -f -N [-p <remote-host-ssh-port>] [-i <identity-file>] \
  [remote-host-ssh-user]@<remote-host-address> \
  -L <local-port>:<remote-host-interface-to-forward-to>:<port-on-remote-host-to-forward-to> 

Options:

-f

The "-f" option tells ssh to go to background.

-N

The "-N" option tells ssh to NOT execute any command on the remote system. If "-N" is omitted, the ssh tunnel will establish AND login.

-L

The "-L" option specifies the tunnel details (local port, remote host interface, remote port, as described below).

Other Arguments

The meaning of other arguments is the following:

  • -p <remote-host-ssh-port> may be used to specify a non-standard SSH port, if the SSH daemon on the remote host was configured to listen on a port other than 22.
  • -i <identity-file> may be used to specify a non-standard identity file, or the identity file for the remote user the connection is made for, if different from the local UNIX user that executes the command.
  • remote-host-ssh-user the user on the remote system the SSH connection is made on behalf of. IF missing, the UNIX user executing the command is implied.
  • remote-host-address the address of the remote system that runs the sshd daemon.
  • local-port the local port for which incoming traffic will be forwarded over the tunnel
  • remote-host-interface-to-forward-to the interface on the remote host traffic arriving over the tunnel will be forwarded to. A good choice is 127.0.0.1, if the service we want to forward to listen on that interface. If we forward to 127.0.0.1, iptables will usually allow the forwarded traffic, as iptables is commonly configured to allow local traffic.
  • port-on-remote-host-to-forward-to the port on the remote-host-interface-to-forward-to to forward traffic arriving on the tunnel to.

Exit of Forward Failure

If the "ExitOnForwardFailure" configuration option is set to "yes"', then a client started with -f will wait for all remote port forwards to be successfully established before placing itself in the background, or will exit with a non-zero exit code otherwise.

-o ExitOnForwardFailure=yes

Connection Keep-Alive

-o TCPKeepAlive=yes
-o ServerAliveInterval=30

Example

ssh -f -N -p 2022 -i /home/bob/.ssh/id_rsa bob@bobshost.com -L 873:127.0.0.1:873