ssh tunnel and a half
As you all might know ssh is a very popular protocol used to connect to remote shells. I mostly use OpenSSH as a client (I think most of you to). SSH has a lot of cool options but in this post i’m going to write about how to use it to create a secure tunnel.
What is a tunnel?
A tunnel specifies a given port on the local (client) host that is to be forwarded to the given host and port on the remote side. How it works? This works by allocating a socket to listen to a port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to the port from the remote machine.
Making the tunnel
Before type the command line to create the ssh tunnel I’m assuming the following topology
$ ssh -L 5432:192.168.0.2:5432 <user>@<web server> _____^______ ______^______ / local port \ / remote port \
If you are running a postgresql in your own machine you can chose another port to listen in your loop back. I always have a pgsql running in my laptop because I use it in most of my developments and I use port 5435.
$ ssh -L 5435:192.168.0.2:5432 <user>@<web server> ============================================================ from other terminal ============================================================ $ psql -h localhost -p 5435 -U db_user -d db_name Welcome to psql 7.3.4, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit db_bame=#
You can make a tunnel to many ports at the same time.
$ ssh -L 5435:192.168.0.2:5432 -L 5436:192.168.0.3:5432 <user>@<web server> or $ ssh -L 5435:192.168.0.2:5432 -L 2222:192.168.0.2:22 <user>@<web server> then try to connect to ssh remote service using the tunnel $ ssh -p 2222 user@localhost
SSH tunnel is something very useful in my life. I hope this post helps you to make it useful for you to.
and a half …
Many router or firewall (statefuls for example) try to clean up dead connections, that means that they are looking if no data was trasmited in the last N secs, and then asumes that connection is no longer in use. For example I go to get some cofe and when I come back to my desk I see this in my monitor:
lucas@megara:~$ Read from remote host megara.easytech.com.ar: Connection reset by peer Connection to megara.easytech.com.ar closed. %$#&*@#$^!@#&*$#%^!#@ <- my thoughts
I hate when this happens and more if I have all my tunnels created. I way to fix this is enabling the keep-alive option. What this does, essentially is every N seconds, the client sends a small keep-alive packet to the server to make it look like the ssh connection is being actively used.
To enable all your ssh connections to send a keep-alive packet you just have to add the following lines to your ~/.ssh/config file:
KeepAlive yes ServerAliveInterval 60
In most cases this option is very useful but if the connection is down and the keep-alive packet is sent the SSH will disconnect you, so you have to be careful in witch scenarios use this option.
There are many other options to play with but I would like to recommending you take a look at ssh multiplexing and how to use ssh as a proxy ( see the 2600 summer 2011 for a very good article about this).