Nethence Newdoc Olddoc Lab Your IP BBDock  


Warning: those guides are mostly obsolete, please have a look at the new documentation.

UnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigs

SSH tunneling
 
http://pbraun.nethence.com/doc/security/sshd.html
http://pbraun.nethence.com/doc/security/sshd_windows.html
http://pbraun.nethence.com/doc/security/ssh_cluster.html
http://pbraun.nethence.com/doc/security/ssh_tunneling.html
 
 
Introduction
There are several types of SSH tunnels.
 
Depending on the tunnel types described below, eventually consider those hosts :
- a workstation at home, named 'homestation'
- a personal server, named 'myserver'
- a workstation behind NAT and firewalls, named 'entstation'
- a server behind NAT and firewalls, named 'entserver'
- a bounce server behind that same NAT and firewalls, named 'bounceserver'
 
 
Classic tunnel
1/ From your home workstation, you want to secure POP3 sessions against your personal server. In example, you want myserver's port 110 locally at port 1025. Initiate the tunnel from 'homestation',
ssh -L 1025:localhost:110 user@myserver
 
2/ From the enterprise workstation, you want to use your personal server's proxy. In example, you want myserver's port 8080 locally at the same port. Initiate the tunnel from 'entstation',
ssh -L 8080:localhost:8080 user@myserver
 
 
Reverse tunnel
From your personal server, you want to access the enterprise server which is protected behind firewalls and NAT, possibly. In example, you want to send entserver's port 22 to myserver's port 2290.
 
You need to initiate the remote tunnel from 'entserver',
ssh -R 2290:localhost:22 user@myserver
 
 
Reverse tunnel through bounce
From 'mserver' you want to access 'entserver1' and 'entserver2' through a bounce server (possibly windows + cygwin or openssh for windows), all behind firewalls and possibly NAT. In example, you want to send entserver1's port 22 to myserver's port 2291 and enserver2's port 22 to myserver's port 2292.
 
You need to initiate the remote tunnels from 'bounceserver',
ssh -R 2291:entserver1:22 user@myserver
ssh -R 2292:entserver2:22 user@myserver
 
 
Watchdog
Note. once everything works, add the "-nNT" options to the ssh command to go background.
 
You may also want to add a watchdog loop.
 
Prepare an authentication without a password (see http://pbraun.nethence.com/doc/security/sshd.html). You may want to create a restricted user on your personal server for the occasion.
 
Then make a watchdog loop,
cd ~/bin
vi watchdog.ksh
like,
#!/bin/ksh
while true; do
ssh -nNT -R 2290:localhost:22 user@myserver
sleep 1
done
 
Enable at startup, e.g. on HP/UX,
cd /sbin/rc3.d
vi S999watchdog
like,
#!/bin/ksh
[[ $1 = start ]] || exit 1
/home/root/bin/watchdog.ksh &
fix the perm,
chmod +x S999watchdog
 
 
References
OpenSSH for Windows : http://sshwindows.sourceforge.net/
Cygwin : http://www.cygwin.com/
SSH manual : http://netbsd.gw.com/cgi-bin/man-cgi?ssh++NetBSD-current
 

(obsolete, see the new doc)