Re: [TCLUG:15003] SSH port forwarding

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:15003] SSH port forwarding
From: Peter Lukas <peter@math.umn.edu>
Date: Tue, 21 Mar 2000 13:35:18 -0600 (CST)
In-Reply-To: <20000321124631.D1404@wizard.real-time.com>

Ugh!  hat's not really the best method.  SSH will automagically establish
X-forwarding through the tunnel (if you've got xauth installed, it'll do
the magic cookie thing as well).  This is usually done by default, and for
most people, behind the scenes.  Older rshell folks will export the
display in a manner similar to what's shown here (hopefully out of habit).

For arbitrary ports, you'll want to forward locally.  For example I've
got a shell account on an IMAP server and want to read my mail over the
encrypted channel:
shaft$ ssh -L 10143:ip.of.my.mail.server:143 <myid>@ip.of.my.mail.server

Next, I configure my IMAP mail client to connect to localhost:10143 for
mail.  My IMAP traffic, userid and password traverse the Internet
ecrypted (mail is usually a bad example as it's public domain anyway --
it's the userid and password we want to protect).  The same can be done
for virtually any well-behaved TCP service.  Ftp's a bit tricky because
you'll need to also tunnel the data connection, not to mention have a
shell account on the ftp server at which point, scp is a much better
option.

Take a hypothetical:
Joe DSL surfs web sites that his employer doesn't want him surfing
(www.employmentplanet.com, etc).  He can set up a proxy server on his DSL
line at home, tunnel the traffic over the SSH connection to the proxy
server and do completely encrypted web surfing (of course, all efforts are
in vain unless he also tunnels or caches the DNS information).

ssh -L 8080:joe.dsl.com:8080 joe@joe.dsl.com

Then Joe needs to configure his web client to use localhost:8080 as the
proxy server.  Joe's employer is angry because all they can capture in
their employee snooping nets is the encrypted SSH traffic.  Bummer.  Next
step is to block outbound SSH to joe's DSL line.

This is just an example (a rather long-winded one at that).

Peter Lukas

On Tue, 21 Mar 2000, Bob Tanner wrote:

> Quoting Timothy Wilson (wilson@visi.com):
> > Hey everyone,
> > 
> > Although I'm not from Missouri, I'd appreciate it if someone would show me a
> > simple example of using SSH to forward ports. Let's say I want to use ftp to
> > get some files from my account at ftp.foo.com, but I don't want to send a
> > clear-text password over the wire. How would this be accomplished? Thanks.
> 
> X forwarding
> 
> remote% ssh -C -R 6020:localhost:6000 mymachine.company.com
> mymachine% xterm -display localhost:20
> -- 
> Bob Tanner <tanner@real-time.com>       | Phone : (612)943-8700
> http://www.real-time.com                | Fax   : (612)943-8500
> Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
> 
>

References:
- Re: [TCLUG:15003] SSH port forwarding
  - From: Bob Tanner <tanner@real-time.com>

Prev by Date: Re: [TCLUG:14977] pseudo static ip
Next by Date: Re: [TCLUG:14977] psudo static ip
Prev by thread: Re: [TCLUG:15003] SSH port forwarding
Next by thread: RE: [TCLUG:14980] IDE ADAPTER
Index(es):
- Date
- Thread