this is obsolete doc -- see http://doc.nethence.com/ instead

SSH tunneling 

 

http://pbraun.nethence.com/doc/security/sshd.html 

http://pbraun.nethence.com/doc/security/sshd_windows.html 

http://pbraun.nethence.com/doc/security/ssh_cluster.html 

http://pbraun.nethence.com/doc/security/ssh_tunneling.html 

 

 

Introduction 

There are several types of SSH tunnels. 

 

Depending on the tunnel types described below, eventually consider those hosts : 

- a workstation at home, named 'homestation' 

- a personal server, named 'myserver' 

- a workstation behind NAT and firewalls, named 'entstation' 

- a server behind NAT and firewalls, named 'entserver' 

- a bounce server behind that same NAT and firewalls, named 'bounceserver' 

 

 

Classic tunnel 

1/ From your home workstation, you want to secure POP3 sessions against your personal server. In example, you want myserver's port 110 locally at port 1025. Initiate the tunnel from 'homestation', 

ssh -L 1025:localhost:110 user@myserver

 

2/ From the enterprise workstation, you want to use your personal server's proxy. In example, you want myserver's port 8080 locally at the same port. Initiate the tunnel from 'entstation', 

ssh -L 8080:localhost:8080 user@myserver

 

 

Reverse tunnel 

From your personal server, you want to access the enterprise server which is protected behind firewalls and NAT, possibly. In example, you want to send entserver's port 22 to myserver's port 2290. 

 

You need to initiate the remote tunnel from 'entserver', 

ssh -R 2290:localhost:22 user@myserver

 

 

Reverse tunnel through bounce 

From 'mserver' you want to access 'entserver1' and 'entserver2' through a bounce server (possibly windows + cygwin or openssh for windows), all behind firewalls and possibly NAT. In example, you want to send entserver1's port 22 to myserver's port 2291 and enserver2's port 22 to myserver's port 2292. 

 

You need to initiate the remote tunnels from 'bounceserver', 

ssh -R 2291:entserver1:22 user@myserver
ssh -R 2292:entserver2:22 user@myserver

 

 

Watchdog 

Note. once everything works, add the "-nNT" options to the ssh command to go background. 

 

You may also want to add a watchdog loop. 

 

Prepare an authentication without a password (see http://pbraun.nethence.com/doc/security/sshd.html). You may want to create a restricted user on your personal server for the occasion. 

 

Then make a watchdog loop, 

cd ~/bin
vi watchdog.ksh

like, 

#!/bin/ksh
while true; do
        ssh -nNT -R 2290:localhost:22 user@myserver
        sleep 1
done

 

Enable at startup, e.g. on HP/UX, 

cd /sbin/rc3.d
vi S999watchdog

like, 

#!/bin/ksh
[[ $1 = start ]] || exit 1
/home/root/bin/watchdog.ksh &

fix the perm, 

chmod +x S999watchdog

 

 

References 

OpenSSH for Windows : http://sshwindows.sourceforge.net/ 

Cygwin : http://www.cygwin.com/ 

SSH manual : http://netbsd.gw.com/cgi-bin/man-cgi?ssh++NetBSD-current