SSH Tunneling
This page just provides some basic hints on setting up and using an ssh tunnel, for futher info read the ssh manual.
NOTE: The "console1#" and "console2#" prompts used in the examples, represent the prompt of 2 different terminals. Actually, you can use just one terminal and make the first ssh (the one that creates the tunnel) to go to background by using the '-f' option. It's not reported here only to make clear (hopefully) which command is doing what, you can add it after the '-N'.
Quick example using the command line
- Open the ssh tunnel:
console1# ssh democritos.sissa.it -L 10022:hg1.hpc.sissa.it:22 -N
- Connect to remote host through the local tunnel:
console2# ssh -p 10022 localhost console2# sftp -oPort=10022 localhost console2# scp -oPort=10022 localhost:<SOURCE> <DEST> console2# scp -oPort=10022 <SOURCE> localhost:<DEST>
Using the SSH config file
- Create the identity file for the gateway host (tunnel):
$ ssh-keygen -t dsa -f ~/.ssh/democritos
- Create the identity file for the remote host (destination):
$ ssh-keygen -t dsa -f ~/.ssh/hg1
The configuration file should look like this:
# ~/.ssh/tunnel # this will open the tunnel: Host democritos User <USERNAME> HostName democritos.sissa.it LocalForward 10022 hg1.hpc.sissa.it:22 IdentityFile ~/.ssh/democritos # this will open the connection to hg1 through the tunnel: Host hg1 User <USERNAME> Hostname localhost Port 10022 HostKeyAlias hg1 IdentityFile ~/.ssh/hg1 # ForwardX11 yes # ForwardX11Trusted yes
Of course, you may include the configuration above in the default file ~/.ssh/config, and thus avoid the "-F ~/.ssh/tunnel" everywhere - the examples reported here try to be as less intrusive as possible on your standard environment.
If ssh fails to bind to the local port 10022, it means that:
- you might have a tunnel already active;
- another application is using the port;
- you are not allowed to open listening sockets.
You can use netstat or lsof in order to check if the port is already in use:
# lsof -nP -i TCP@localhost:10022 # lsof -nP -i TCP@localhost # netstat -tlpn
You can choose another port in the range 1024-65535, at your option - be sure to replace the port number on both parts of the configurations.
Open the ssh tunnel:
console1# ssh -F ~/.ssh/tunnel democritos -N
the '-N' option tells ssh not to execute any command on the gateway. Without the '-N', ssh will execute the user shell or a command associated to the matching ssh key (defined in the ~/.ssh/authorized_keys of the gateway):
console1# ssh -F ~/.ssh/tunnel democritos Tunnel activated, CTRL-C to quit
NOTE: in this latter case the ~/.ssh/authorized_keys
on the gateway looks like this:
command="echo -ne 'Tunnel activated, CTRL-C to quit ' ; sleep 2h",no-X11-forwarding,no-agent-forwarding ssh-dss ...encrypted-key... comment
The "sleep 2h" will force ssh to keep the tunnel opened for at least 2 hours if there are no active connections, but it will be active as long as one connection (at least one) is opened through the tunnel (see below). Note also that '-f' won't work in this case.
SSH connection to hg1:
console2# ssh -F ~/.ssh/tunnel hg1
File transfer to/from hg1:
- Interactive mode
console2# sftp -F ~/.ssh/tunnel hg1
- Batch mode, single transfer
console2# sftp -F ~/.ssh/tunnel hg1:<SOURCE> <DEST> console2# sftp -F ~/.ssh/tunnel <SOURCE> hg1:<DEST>
- Batch mode, command from file instead of stdin
console2# sftp -F ~/.ssh/tunnel -b batchfile hg1
Remote copy to/from hg1:
- Standard scp options can be added as usual
console2# scp -F ~/.ssh/tunnel hg1:<SOURCE> <DEST> console2# scp -F ~/.ssh/tunnel <SOURCE> hg1:<DEST>
You can optionally add something like this to your ~/.bashrc file
:
alias hg1-tunnel='ssh -F ~/.ssh/tunnel democritos' alias hg1-ssh='ssh -F ~/.ssh/tunnel hg1' alias hg1-scp='scp -F ~/.ssh/tunnel' alias hg1-sftp='sftp -F ~/.ssh/tunnel'
For further information on the commands mentioned above, here you can find their online manpages:
* ssh * ssh_config
Here you can find some other hints on ssh usage: