Advanced SSH usage
From OpenFSG
 |
Please help improve this article by expanding it.
Further information might be found on the talk page. |
|
This article describes how to use your ssh server beyond only configuring your machine. You can also build a secure tunnel to a closed network by using port forwarding.
Prerequisits
You should have read and understood how to set up and use ssh: Use the SSH Server
Port forwarding
Port forwarding allows you to use a closed network without being a part of it. That means if one part of your ssh connection (client oder server) is part of a not accessible network, it is able to work like a router and tunnel requests into the closed network.
Forward client port to host port
From manual page of ssh
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a con-
nection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine.
|----client----| |-----server----| |-----host-----|
| | | | | |
| local port<| <incoming | | | |
| ssh port<>| <--------------> |<> ssh port | | |
| forwarding>| -------------> |>host port |
<<<------------local network------------------->>>
If you add -L5555:192.168.178.22:21 to your ssh connection, then all traffic to your local port 5555 will be forwarded to port 21 of 192.168.178.22. Note that this IP (or DNS name) is an IP (or DNS name) of the ssh server network.
We assume that 192.168.178.22 is an FTP server listening on port 21, which is only reachable from the privat network. Futhermore the SSH server is also part of this privat network. Then you can access this FTP server through the secure SSH tunnel by connecting to
- host: localhost
- port: 5555
with your ftp client.
You also can use this port forwarding with Putty. Use 5555 as port and 192.168.178.22:21 as destination.
Dynamic port forwarding (use as Proxy)
From manual page of ssh
-D [bind_address:]port
Specifies a local ``dynamic application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports.
|----client----| |-----server----|
| | | |
| local port<| <incoming | |
| ssh port<>| <--------------> |<> ssh port |
| forwarding>| >outgoing connection
<<<------------local network-----------
If you add -D 6666 to your ssh connection, then all traffic to your local port 6666 will be forwarded to your ssh server, which works as a proxy. If you use a programm, which is able to use a SOCKS proxy (SOCKS4 or SOCKS5), you can set
- proxy address: localhost
- proxy port: 6666
So it is possible to connect to services into the privat network of the server.
For example you use a ftp client. You set localhost and 6666 as proxy settings. After this you set 192.168.178.22 and 21 as ftp server address and port. Because of the proxy the ftp server at the privat network is now available for you.
It is also possible to make more then one connection with your new proxy (localhost 6666) at the same time. If you like to make such a connection with putty you only select dynamic and add port 6666.
Remote port forwarding
From manual page of ssh
-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to
be forwarded to the given host and port on the local side. This
works by allocating a socket to listen to port on the remote
side, and whenever a connection is made to this port, the connec-
tion is forwarded over the secure channel, and a connection is
made to host port hostport from the local machine.
|-----host-----| |----client----| |-----server----| | | | | | | | host port<| <----------------- |<forwaring | | | | | | ssh port<>| <--------------> |<> ssh port | | | | port>| <incoming <<<-------------local network------------------->>>
This is the oposite to the first port forwarding method to a server host. If you add -R7777:192.168.178.22:21 to your ssh connection, then all traffic to the port 7777 of the ssh server will be forwarded to port 21 of 192.168.178.22. Note that this IP (or DNS name) is an IP (or DNS name) of your local network network.
Here we assume that 192.168.178.22 is an FTP server listening on port 21, which is only reachable from your privat network. Futhermore the SSH server is part of a public network. Then you can access this FTP server from the public network through the secure SSH tunnel by connecting to ssh server address and port 7777 with your ftp client. (There are no proxy settings necccessary).
You also can use this port forwarding with Putty by selecting remote and and add 7777 as port and 192.168.178.22:21 as destination. But pay attention that this way is a very big security risk, because you make your local services available for public.
Make use of bind_address
This is an optional setting available for connections with port forwarding. If your local PC (ssh client) have more than one network address (for example one IP for privat network and one IP for internet) it is possible to use the port forwarding only for one of this networks. Futhermore you like to use the port forwarding only from your PC you set localhost as bind_address.
If you don't specify this setting and you don't have a firewall everybody can use the connection (for example with yourIP and port 5555).
bind_address=privat IP
|----client----| | | | local port<| <incoming to privat IP | public port<| X<incoming to public IP will be blocked | | | ssh port<>| <------...
bind_address=public IP
|----client----| | | | local port<| X<incoming to privat IP will be blocked | public port<| <incoming to public IP | | | ssh port<>| <------...
bind_address=localhost (or 127.0.0.1)
|----client----| | | | local port<| X<incoming to privat IP will be blocked | public port<| X<incoming to public IP will be blocked | | | ssh port<>| <------...
Only connections from your local PC are possible.
Make use of compression
From manual page of ssh
-C Requests compression of all data (including stdin, stdout,
stderr, and data for forwarded X11 and TCP connections). The
compression algorithm is the same used by gzip(1), and the
``level can be controlled by the CompressionLevel option for
protocol version 1. Compression is desirable on modem lines and
other slow connections, but will only slow down things on fast
networks. The default value can be set on a host-by-host basis
in the configuration files; see the Compression option.
This option makes that all traffic between ssh client and ssh server will be compressed. This can be important for relatively slow connection. For example if your upload speed is only 100 kB/s and the upload speed of your ssh server is much bigger, you can test this option to get a better upload. The slower your connection (exspecial Modem or ISDN) the more affect take this option. (Fast connections often be slower by using the ssh tunnel. But if you decide to use the tunnel than often the connection with compression will be faster than without compression)
