ssh tunnel and a half

July 11, 2011 easytech-feed 0

Using ssh to shut down lights

As you all might know ssh is a very popular protocol used to connect to remote shells. I mostly use OpenSSH as a client (I think most of you to). SSH has a lot of cool options but in this post i’m going to write about how to use it to create a secure tunnel.

What is a tunnel?

A tunnel specifies a given port on the local (client) host that is to be forwarded to the given host and port on the remote side. How it works? This works by allocating a socket to listen to a port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to the port from the remote machine.

Making the tunnel

Before type the command line to create the ssh tunnel I’m assuming the following topology

If I would like to connect to 192.168.0.2 db server and the database is a postgresql, then the default port is 5432 and the tunnel command line is:

$ ssh -L 5432:192.168.0.2:5432 <user>@<web server>
     _____^______     ______^______
    / local port \   / remote port \

If you are running a postgresql in your own machine you can chose another port to listen in your loop back. I always have a pgsql running in my laptop because I use it in most of my developments and I use port 5435.

$ ssh -L 5435:192.168.0.2:5432 <user>@<web server>

============================================================
 from other terminal
============================================================

$ psql -h localhost -p 5435 -U db_user -d db_name
Welcome to psql 7.3.4, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
 \h for help with SQL commands
 \? for help on internal slash commands
 \g or terminate with semicolon to execute query
 \q to quit

db_bame=#

You can make a tunnel to many ports at the same time.

$ ssh -L 5435:192.168.0.2:5432 -L 5436:192.168.0.3:5432 <user>@<web server>

or

$ ssh -L 5435:192.168.0.2:5432 -L 2222:192.168.0.2:22 <user>@<web server>

then try to connect to ssh remote service using the tunnel

$ ssh -p 2222 user@localhost

SSH tunnel is something very useful in my life. I hope this post helps you to make it useful for you to.

and a half …

Many router or firewall (statefuls for example) try to clean up dead connections, that means that they are looking if no data was trasmited in the last N secs, and then asumes that connection is no longer in use. For example I go to get some cofe and when I come back to my desk I see this in my monitor:

lucas@megara:~$ Read from remote host megara.easytech.com.ar:
Connection reset by peer
Connection to megara.easytech.com.ar closed.  

%$#&*@#$^!@#&*$#%^!#@ <- my thoughts

I hate when this happens and more if I have all my tunnels created. I way to fix this is enabling the keep-alive option. What this does, essentially is every N seconds, the client sends a small keep-alive packet to the server to make it look like the ssh connection is being actively used.

To enable all your ssh connections to send a keep-alive packet you just have to add the following lines to your ~/.ssh/config file:

KeepAlive yes
ServerAliveInterval 60

In most cases this option is very useful but if the connection is down and the keep-alive packet is sent the SSH will disconnect you, so you have to be careful in witch scenarios use this option.

There are many other options to play with but I would like to recommending you take a look at ssh multiplexing and how to use ssh as a proxy ( see the 2600 summer 2011 for a very good article about this).

@lucasmingarro

easytech-feed's blog
Login to post comments

ssh tunnel and a half

Recent blog posts

Services

Tweets

Contact

You can send us a message using the following form.