SSH Tunneling

This page just provides some basic hints on setting up and using an ssh tunnel, for futher info read the ssh manual.

NOTE: The "console1#" and "console2#" prompts used in the examples, represent the prompt of 2 different terminals. Actually, you can use just one terminal and make the first ssh (the one that creates the tunnel) to go to background by using the '-f' option. It's not reported here only to make clear (hopefully) which command is doing what, you can add it after the '-N'.

Quick example using the command line

  • Open the ssh tunnel:
console1# ssh -L -N
  • Connect to remote host through the local tunnel:
console2# ssh -p 10022  localhost
console2# sftp -oPort=10022  localhost
console2# scp -oPort=10022  localhost:<SOURCE>  <DEST>
console2# scp -oPort=10022  <SOURCE>  localhost:<DEST>

Using the SSH config file

  • Create the identity file for the gateway host (tunnel):
$ ssh-keygen -t dsa -f ~/.ssh/democritos
  • Create the identity file for the remote host (destination):
$ ssh-keygen -t dsa -f ~/.ssh/hg1

The configuration file should look like this:

# ~/.ssh/tunnel

# this will open the tunnel:
Host democritos
	LocalForward 10022
	IdentityFile ~/.ssh/democritos

# this will open the connection to hg1 through the tunnel:
Host hg1
	Hostname localhost
	Port 10022
	HostKeyAlias hg1
	IdentityFile ~/.ssh/hg1
#	ForwardX11 yes
#	ForwardX11Trusted yes

Of course, you may include the configuration above in the default file ~/.ssh/config, and thus avoid the "-F ~/.ssh/tunnel" everywhere - the examples reported here try to be as less intrusive as possible on your standard environment.

If ssh fails to bind to the local port 10022, it means that:

  1. you might have a tunnel already active;
  2. another application is using the port;
  3. you are not allowed to open listening sockets.

You can use netstat or lsof in order to check if the port is already in use:

# lsof -nP -i TCP@localhost:10022
# lsof -nP -i TCP@localhost
# netstat -tlpn

You can choose another port in the range 1024-65535, at your option - be sure to replace the port number on both parts of the configurations.

Open the ssh tunnel:

console1# ssh -F ~/.ssh/tunnel  democritos  -N

the '-N' option tells ssh not to execute any command on the gateway. Without the '-N', ssh will execute the user shell or a command associated to the matching ssh key (defined in the ~/.ssh/authorized_keys of the gateway):

console1# ssh -F ~/.ssh/tunnel  democritos
Tunnel activated, CTRL-C to quit

NOTE: in this latter case the ~/.ssh/authorized_keys on the gateway looks like this:

command="echo -ne 'Tunnel activated, CTRL-C to quit ' ; sleep 2h",no-X11-forwarding,no-agent-forwarding ssh-dss ...encrypted-key... comment

The "sleep 2h" will force ssh to keep the tunnel opened for at least 2 hours if there are no active connections, but it will be active as long as one connection (at least one) is opened through the tunnel (see below). Note also that '-f' won't work in this case.

SSH connection to hg1:

console2# ssh -F ~/.ssh/tunnel  hg1

File transfer to/from hg1:

  • Interactive mode
console2# sftp -F ~/.ssh/tunnel  hg1
  • Batch mode, single transfer
console2# sftp -F ~/.ssh/tunnel  hg1:<SOURCE>  <DEST>
console2# sftp -F ~/.ssh/tunnel  <SOURCE>  hg1:<DEST>
  • Batch mode, command from file instead of stdin
console2# sftp -F ~/.ssh/tunnel  -b batchfile  hg1

Remote copy to/from hg1:

  • Standard scp options can be added as usual
console2# scp -F ~/.ssh/tunnel  hg1:<SOURCE>  <DEST>
console2# scp -F ~/.ssh/tunnel  <SOURCE>  hg1:<DEST>

You can optionally add something like this to your ~/.bashrc file:

alias hg1-tunnel='ssh -F ~/.ssh/tunnel democritos'
alias hg1-ssh='ssh -F ~/.ssh/tunnel hg1'
alias hg1-scp='scp -F ~/.ssh/tunnel'
alias hg1-sftp='sftp -F ~/.ssh/tunnel'

For further information on the commands mentioned above, here you can find their online manpages:

   * ssh
   * ssh_config

Here you can find some other hints on ssh usage: