Loading
Eleven SSH Tricks
Run remote GUI applications and tunnel any Net connection securely using a free utility that's probably already installed on your system.
Ports are the numbers representing different services on a server; such as port 80 for HTTP and port 110 for POP3. You can find the list of standard port numbers and their services in /etc/services. SSH can translate transparently all traffic from an arbitrary port on your computer to a remote server running SSH. The traffic then can be forwarded by SSH to an arbitrary port on another server. Why would you want to do this? Two reasons: encryption and tunneled connections.
Many applications use protocols where passwords and data are sent as clear text. These protocols include POP3, IMAP, SMTP and NNTP. SSH can encrypt these connections transparently. Say your e-mail program normally connects to the POP3 port (110) on mail.example.net. Also, say you can't SSH directly to mail.example.net, but you have a shell login at shell.example.net. You can instruct SSH to encrypt traffic from port 9110 (chosen arbitrarily) on your local computer and send it to port 110 on mail.example.net, using the SSH server at shell.example.net:
ssh -L 9110:mail.example.net:110 shell.example.net
That is, send local port 9110 to mail.example.net port 110, over an SSH connection to shell.example.net.
Then, simply tell your e-mail program to connect to port 9110 on localhost. From there, data is encrypted, transmitted to shell.example.net over the SSH port, then decrypted and passed to mail.example.net over port 110. As a neat side effect, as far as the POP3 dæmon on mail.example.net knows, it is accepting traffic from shell.example.net.
SSH can act as a bridge through a firewall whether the firewall is protecting your computer, a remote server or both. All you need is an SSH server exposed to the other side of the firewall. For example, many DSL and cable-modem companies forbid sending e-mail from your own machine over port 25 (SMTP).
Our next example is sending mail to your company's SMTP server through your cable-modem connection. In this example, we use a shell account on the SMTP server, which is named mail.example.net. The SSH command is:
ssh -L 9025:mail.example.net:25 mail.example.net
Then, tell your mail transport agent to connect to port 9025 on localhost to send mail. This exercise should look quite similar to the last example; we are tunneling from local port 9025 to mail.example.net port 25 over mail.example.net. As far as the firewall sees, it is passing normal SSH data on the normal SSH port, 22, between you and mail.example.net.
A final example is connecting through an ISP firewall to a mail or news server inside a restricted network. What would this look like? In fact, it would be the same as the first example; mail.example.net can be walled away inside the network, inaccessible to the outside world. All you need is an SSH connection to a server that can see it, such as shell.example.net. Is that neat or what?
If a port is reassigned on a computer (the local port in the examples above), every user of that computer sees the reassigned port. If the local system has multiple users, tunnel only from unused, high-numbered ports to avoid confusion. If you want to forward a privileged local port (lower than 1024), you need to do so as root. Forwarding a lower-numbered port might be useful if a program won't let you change its port, such as standard BSD FTP.
By default, a tunneled local port is accessible only to local users and not by remote connection. However, any user can make the tunneled port available remotely by using the -g option. Again, you can do this to privileged ports only if you are root.
Any user who can log in with SSH can expose any port inside a private network to the outside world using port forwarding. As an administrator, if you allow incoming SSH connections, you're really allowing incoming connections of any kind. You can configure the OpenSSH dæmon to refuse port forwarding with AllowTcpForwarding no, but a determined user can forward anyway.
A config file option is available to forward ports; it is called LocalForward. The first port-forwarding example given above could be written as:
Host forwardpop Hostname shell.example.com LocalForward 9110 mail.example.com:110
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Private PaaS for the Agile Enterprise
If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.
Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.
Sponsored by ActiveState
- Containers—Not Virtual Machines—Are the Future Cloud
- Non-Linux FOSS: libnotify, OS X Style
- Linux Systems Administrator
- Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer
- Validate an E-Mail Address with PHP, the Right Way
- RSS Feeds
- Introduction to MapReduce with Hadoop on Linux
- Senior Perl Developer
- Weechat, Irssi's Little Brother
- Technical Support Rep
- Reply to comment | Linux Journal
3 hours 11 min ago - Reply to comment | Linux Journal
3 hours 56 min ago - Didn't read
4 hours 7 min ago - Reply to comment | Linux Journal
4 hours 12 min ago - Poul-Henning Kamp: welcome to
6 hours 22 min ago - This has already been done
6 hours 23 min ago - Reply to comment | Linux Journal
7 hours 8 min ago - Welcome to 1998
7 hours 57 min ago - notifier shortcomings
8 hours 20 min ago - heroku?
9 hours 57 min ago
Featured Jobs
| Linux Systems Administrator | Houston and Austin, Texas | Host Gator |
| Senior Perl Developer | Austin, Texas | Host Gator |
| Technical Support Rep | Houston and Austin, Texas | Host Gator |
| UX Designer | Austin, Texas | Host Gator |
| Web & UI Developer (JavaScript & j Query) | Austin, Texas | Host Gator |
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
SOCKS proxy
This article misses one very useful trick; in addition to port-forwarding and tunneling, the ssh daemon supports SOCKS proxy functions, which means you can use any ssh-enabled hosts as a web proxy. Very useful when you need to test a page from a different country you have a server in, or when you want to access a restricted web administration interfaces by first logging into an inside server.
All you need to activate the SOCKS proxy function is to use the "-D [bind_addr:]port" switch. Ex:
$ ssh -D 8881 some-host.example.com
Then pointing your browser's SOCKS proxy config to localhost:8881 will let you proxy trough some-host.example.com.
Headings
While very useful, this article is in dire need of some styled headings to define each of the 11 tips visually. Some headline tags (h1, h2, etc) or even a little bold text would be very helpful!
Traveling, Insecure Computers
Using your own copy of ssh when using a computer you don't trust doesn't accomplish much. A keylogger that records what you type will record the password you type.
Another idea would be to carry a bootable CD or memory stick with a complete OS that you trust. Knoppix is a good example. This will foil (nearly) any software based keylogger, but you can still be caught by a physical keylogger.
I carry a complete computer that I trust (therefore one not running Windows?) and I type my passwords on it. I also don't recycle passwords from one account on another account.
-kb
when i connect a system
when i connect a system using ssh it will display message are you sure you want to continue connecting?but i want to go without this message display
UNwelcome banner
You will need root access to the ssh server, open /etc/sshd_config with your favourite editor and comment out the line containing "Banner /etc/issue.net"
Done
Need help
Hi
I am facing some problem with cywin.
I installed cygwin and the installation was successful
I developed a .Net program exe and put it under /cygwin/home/username folder
Now while I am making a ssh call from cygwin command line to that exe application , I get the response as required.
But the same call from the web console is not getting any response.
Its seems like the web console is not making a call the that application.
I got stuck now at this position. Do I need to do some configuration on Cywin to make it accept web request.
Or do i need anything else.
Any help will be highly appreciated.
Good reference article
SSH is one of those things I use intensively for a little bit and then go months without thinking about - which means I forget everything between uses. This article is a good reference/checkpoint. Thanks!
One more tip:
GSSAPIAuthentication takes time during initial connection. Set it to "no" in the sshd_config and connections will speed up some.
Dave T.
Dave Turvene
Article
Thank you. I found your article very useful. Practical tips I can use right away.
Great article
Daniel, i have had to deal with clients who have their mail port blocked and this is a great work around. Thank you very much for a very well written and informative article.
Great article/tuto
thanks, this is great article base to start with.
Re: Eleven SSH Tricks
> Hello.
>
>
> In the article "Eleven SSH Tricks" for Linux Journal, you mention:
>
> >You can configure the OpenSSH daemon to refuse port forwarding with
> >AllowTcpForwarding no, but a determined user can forward anyway.
>
> How can this be done?
from 'man sshd_config' (on debian linux):
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The default is
``yes''. Note that disabling TCP forwarding does not improve
security unless users are also denied shell access, as they can
always install their own forwarders.
If you trust a user enough to give them ssh access, they
may have the means to forward (at least high-numbered) ports elsewhere.
The converse, allowing ssh but denying shell access, is an issue for
anonymous ssh connections, as with AnonCVS- in this case, turning off
AloowTcpForwarding is a very good idea:
http://seclists.org/lists/bugtraq/2004/Sep/0019.html
-Daniel Allen
I keep seeing vague
I keep seeing vague references to AllowTcpForwarding being an incomplete solution, but no specific examples of what that means. What does "they can always install their own forwarders" mean? Is it a SSH specific risk or a risk inherent to any shell access (like telnet)? i.e. is there still some way to tunnel traffic through the SSH connection or do they just mean that the user can fire up other processes on the server to do there funny business?
If it's just a risk inherent to giving shell access, then IMHO it's pretty irresponsible to suggest in the man page that "disabling TCP forwarding does not improve security". Does it prevent any and all connectivity to hosts other than the SSH server...of course not. That's a far cry from "does not improve security".
Shell access implies can tunnel
http://www.nyangau.fsnet.co.uk/tunnel/tunnel.htm
http://www.nyangau.fsnet.co.uk/tunnel/tunnel.zip
show how how to tunnel through
ssh (even if AllowTcpForwarding no)
telnet (even though it has no forwarding feature)
{{{ Andy
Re: Eleven SSH Tricks
In the section Running Remote Shell Commands, perl seems a little overkill for running those consecutive ssh commands. You can replace the little perl code by straight bash:
for i in `seq 1 12`; do ssh server$i "w"; done
Even better...
Why use backticks? This is also equivalent:
for i in {1..12} ; do ssh server$i "w" ; done
(or, in zsh)
for i in {1..12} ; ssh server$i "w"
Aren't you forgetting something?
SSH sends STDIN to the remote machine when it is run. Which will restult in you SSHing to server$1 and sending {2..12} to the STDIN on the remote connection clearing the STDIN on the local machine.
The fix is simple though:
for i in {1..12}; do ssh -n server$i "w"; done
or
for i in {1..12}; do ssh server$i "w" < /dev/null; done
Solution given works, fine your solution is unnecessary.
There's nothing being sent to stdin on the remote machine. {2..12} is expanded by the shell to the numbers 1 through 12 as part of a command. It doesn't become stdin. Your solution is unnecessary.
Correction re: Tunnelled Connections
I believe I made a mistake in the "Tunnelled Connections" example- In the fourth paragraph, "tell your mail transport agent" should read "tell your mail user agent". In other words, change the settings in your email program.
The other situation, where you're running your own sendmail/postfix/exim and want to send out mail to the world, punching though an ISP firewall, is only possible if you have access to a mail relay running a ssh server to relay all your outgoing email, which is nearly the same as the above situation with a remote SMTP server.
Since there needs to be a server receiving the SSH connection at the other end, you'd otherwise need to figure out how to set up your mail server to establish a SSH connection to every server you emailed to, which isn't possible with regular SMTP.
Perhaps ultimately we should be happy for that, since if a way to transparently send SMTP over SSH were available, most ISPs would then be compelled to block all ports to prevent SSH connections, instead of only blocking SMTP ports to block spammers, and we'd all have yet another reason to hate spammers...
-Daniel Allen
Good Postfix tunnel instructions
How to make Postfix use a tunnel
Re: Eleven SSH Tricks
One trick I use a lot: set up aliases based on your known_hosts file so you get proper hostname completion. Try sticking this in ~/.bashrc:
if [ -f ~/.ssh/known_hosts ] ; then
while read host junk
do
host=${host%%,*}
alias "${host}=ssh ${host}"
done
fi
-Dom
Re: Eleven SSH Tricks
Use the bash-completion package, it already does this.
Re: Eleven SSH Tricks
I just wanted to say thanks for a great article which taught me several really useful new things.
ZB