Since this tip is popular I'll share another related tip.
When using nested ssh session, you can send escape commands to any of them by the number of tildes. For example, if you ssh into Server A and then from Server A to Server B:
~~. # drop session from Server A to Server B
~. # drop original session into Server A
There's a really fancy new -R feature that I love (added in 2017 I think).
ssh <target> -R <just a port number>
This opens up a localhost port on the target that acts as a socks server which tunnels all your traffic through the source machine.
This is great for machines that you can SSH into, but are otherwise completely isolated from the network, or are monitored heavily. You can jump on, and pull down everything you need from the existing SSH connection, rather than using the machine to make requests out to the internet directly.
This is also good if the source machine is a web server or something on a secured network which can SSH out, but not much else, and the destination is your command and control server on the internet. Then it opens up a socks port on the C&C machine that gives full access to the internal network, impersonating the source machine.
Every other -R is a point to point TCP connection, but setting up a SOCKS proxy with -R is magic. More analogous to a reverse -D than a reverse -L. Super useful.
Thanks! I pinned your page on my evernote.. I always get confuse everytime I need to make a ssh port forward. After a while I get it but I spend time (and some bad words :P)
One common use is to secure vnc, which has no crypto built into it.
On the remote host, have the vnc server listen only on localhost:5901
This assumes everyone who can ssh to the server should be allowed access.
On your workstation, form an ssh tunnel to that remote host and its port, and link it your own localhost:5901
Open your vnc client GUI and set it to open 127.0.0.1:5901, voila, vnc session.
More fun things: say for example you have a big remote xen dom0 with a lot of unique qemu HVM VMs running on it. Configure each of their .cfg files for xen to spawn a vnc server on localhost only and a unique port number per domU (5902,5903,5904,etc). Then use the same method to connect.
Note that it still exposes the connection to all local processes, on both hosts (except network-restricted services or with non-typical host-local firewall rules), though it should be fine, if you're using semi-reasonable passwords.
SSH supports unix domain socket forwarding and even cross unix/ip forwarding with a syntax like:
Then you can have user-authenticated host and transit secure password-less VNC connections.
Unfortunately I haven't been able to convince tigervnc viewer to connect to a unix domain socket, so I don't have a fully scripted connection, but remmina and tigervnc server work fine.
Also, forwardings / connections fail if the socket already exists when the listening side starts up (often an unclosed leftover), so I rm them before starting the ssh connection / vnc server and it works reliably.
then I open the directory /System/Library/CoreServices in the Finder and drag Screen Sharing.app to the dock.
to remote into machine mac-b, in a terminal window:
ssh mac-b
The first time, click on "screen sharing" in the dock, and in the connect dialog enter localhost:5904
After that, you can right-click on screen-sharing in the dock - even when it's not running - and you will see a context menu item for "mac-b 5904.vncloc"
By the way, mac to mac screen sharing is very well done (will they axe it next?)
- it is very fast
- the keyboard stuff just works
- you can copy/paste even rich text between the local and remote macs
- you can drag and drop files from the remote desktop to the local one
SSH tunnels are my favorite tool for NAT-busting. I always have to look up the cryptic syntax, but with one strategically placed Raspberry Pi, you can basically get from anywhere to anywhere.
And it works just as well on a locked down corporate network as it does on a home network. Why people put up with garbage VPN software is beyond me.
One can further tunnel SSH inside of TLS with Stunnel [0] to get through firewalls that block SSH but permit arbitrary TLS connections. Loading a website through this requires three layers of TCP but assuming the connection is good this should be okay.
A couple reasons for a regular VPN: they can be made automatic and persistent so the tunnel is always ready for use, they can tunnel other protocols besides TCP, they can tunnel entire networks, and using UDP as the tunnel protocol helps avoid the TCP-in-TCP congestion issues.
Why don't people use unix domain sockets for local connections? They are pretty much the same thing as local IP connections, except access rights apply as on files, so you're not exposing connections to pretty much all processes.
Domain sockets can be forwarded via ssh with the same -L and -R arguments, including cross unix/ip forwardings.
It's a relatively recent feature in openssh (in the past decade for upstream; not sure when it first landed in an Ubuntu LTS, which for practical purposes is the earliest one might start using it regularly)
For those interested in the topic of tunneling, I highly recommend The Cyber Plumber’s Handbook [1] to gain an even deeper understanding and examples beyond SSH.
Reaching target hosts multiple jump-hosts away, and going the wrong way through multiple firewalls segregating those lans, is another use-case of tunnels I've found handy.
Target_host can be reached by doing tunnel-in-tunnel-in-tunnel-in-tunnel. Each tunnel gets you past one firewall. The final tunnel you can just ssh to fw3 via a local tunnel and a local port on your_remote_client now takes you straight to target_host.
Absolutely brilliant! I've had to explain local/reverse/dynamic port forwarding to people enough times that I've written a text file I can just send them, but I can finally replace that with a link to this page.
Really nice and clear. One addition: the final example uses ProxyCommand, I find ProxyJump much more useful: you can specify multiple hops clearly and even specify different private keys for each hop.
ProxyCommand is useful for proxying with a non-SSH protocol. For example when combined with proxytunnel or similar you can run your SSH connections over an HTTPS proxy, which appears as regular web traffic to the network operator.
ProxyJump indeed seems more useful, but has less support (it's a "newer" SSH feature). Do you know if it needs to be supported by the openssh libs of intermediate hosts, or just the initiating client?
Great resource. Most tutorials on SSH tunnels are strangely incomplete. This one seems to cover all the important points, and does so in an approachable way.
Every once in a while I wonder how the SOCKS5 stuff works at the protocol level, I would like to be able to SSH out without running a proxy process locally, just talk to the ssh deamon on the relay server directly. The OpenSSH code is a bit dense but it looks like it creates dynamic tunnels that are torn down when the connection closes. Anyone confirm that is what happens behind the scenes?
Great, I can refer people (and myself) to this page !
A lot of tunneling tutorial, medium articles and blog post mixes local and remote port forwarding and use the words interchangeably which cause a lot of confusion.
[+] [-] fooblat|5 years ago|reply
One thing to add is that you can even open tunnels during an interactive session without disconnection.
To do this, type the escape command sequence ~C (will not show) and it will drop you to the control prompt. You can then add tunnels.
[+] [-] macintux|5 years ago|reply
[+] [-] fooblat|5 years ago|reply
When using nested ssh session, you can send escape commands to any of them by the number of tildes. For example, if you ssh into Server A and then from Server A to Server B:
[+] [-] nerdponx|5 years ago|reply
[+] [-] xvf22|5 years ago|reply
[+] [-] px43|5 years ago|reply
ssh <target> -R <just a port number>
This opens up a localhost port on the target that acts as a socks server which tunnels all your traffic through the source machine.
This is great for machines that you can SSH into, but are otherwise completely isolated from the network, or are monitored heavily. You can jump on, and pull down everything you need from the existing SSH connection, rather than using the machine to make requests out to the internet directly.
This is also good if the source machine is a web server or something on a secured network which can SSH out, but not much else, and the destination is your command and control server on the internet. Then it opens up a socks port on the C&C machine that gives full access to the internal network, impersonating the source machine.
Every other -R is a point to point TCP connection, but setting up a SOCKS proxy with -R is magic. More analogous to a reverse -D than a reverse -L. Super useful.
[+] [-] LukeShu|5 years ago|reply
Indeed: committed in September 2017, released in v7.6 in October 2017.
[+] [-] metahost|5 years ago|reply
[1] : https://unix.stackexchange.com/a/118650/289353
[+] [-] mottosso|5 years ago|reply
[+] [-] qwertox|5 years ago|reply
[+] [-] larodi|5 years ago|reply
[+] [-] dloss|5 years ago|reply
[+] [-] giuseppeciuni|5 years ago|reply
[+] [-] tatref|5 years ago|reply
[+] [-] walrus01|5 years ago|reply
On the remote host, have the vnc server listen only on localhost:5901
This assumes everyone who can ssh to the server should be allowed access.
On your workstation, form an ssh tunnel to that remote host and its port, and link it your own localhost:5901
Open your vnc client GUI and set it to open 127.0.0.1:5901, voila, vnc session.
More fun things: say for example you have a big remote xen dom0 with a lot of unique qemu HVM VMs running on it. Configure each of their .cfg files for xen to spawn a vnc server on localhost only and a unique port number per domU (5902,5903,5904,etc). Then use the same method to connect.
[+] [-] labawi|5 years ago|reply
SSH supports unix domain socket forwarding and even cross unix/ip forwarding with a syntax like:
Then you can have user-authenticated host and transit secure password-less VNC connections.Unfortunately I haven't been able to convince tigervnc viewer to connect to a unix domain socket, so I don't have a fully scripted connection, but remmina and tigervnc server work fine.
Also, forwardings / connections fail if the socket already exists when the listening side starts up (often an unclosed leftover), so I rm them before starting the ssh connection / vnc server and it works reliably.
[+] [-] m463|5 years ago|reply
to remote into machine mac-b, in a terminal window:
The first time, click on "screen sharing" in the dock, and in the connect dialog enter localhost:5904After that, you can right-click on screen-sharing in the dock - even when it's not running - and you will see a context menu item for "mac-b 5904.vncloc"
By the way, mac to mac screen sharing is very well done (will they axe it next?)
- it is very fast
- the keyboard stuff just works
- you can copy/paste even rich text between the local and remote macs
- you can drag and drop files from the remote desktop to the local one
[+] [-] chrisandchris|5 years ago|reply
[+] [-] kburman|5 years ago|reply
[+] [-] ohazi|5 years ago|reply
And it works just as well on a locked down corporate network as it does on a home network. Why people put up with garbage VPN software is beyond me.
[+] [-] accrual|5 years ago|reply
A couple reasons for a regular VPN: they can be made automatic and persistent so the tunnel is always ready for use, they can tunnel other protocols besides TCP, they can tunnel entire networks, and using UDP as the tunnel protocol helps avoid the TCP-in-TCP congestion issues.
[0] https://en.wikipedia.org/wiki/Stunnel
[+] [-] lxgr|5 years ago|reply
For example, SSH port forwarding is TCP only, so if you need UDP, you‘ll need a VPN.
[+] [-] labawi|5 years ago|reply
Domain sockets can be forwarded via ssh with the same -L and -R arguments, including cross unix/ip forwardings.
[+] [-] aidenn0|5 years ago|reply
[+] [-] chaosfox|5 years ago|reply
[+] [-] magicconch|5 years ago|reply
[1] https://cph.opsdisk.com/
[+] [-] opsdisk|5 years ago|reply
https://gum.co/cph_book_and_lab/hackernews20210207
[+] [-] framecowbird|5 years ago|reply
[+] [-] 656565656565|5 years ago|reply
[+] [-] catoc|5 years ago|reply
[+] [-] dexterdog|5 years ago|reply
[+] [-] mfgs|5 years ago|reply
[+] [-] beermonster|5 years ago|reply
Reaching target hosts multiple jump-hosts away, and going the wrong way through multiple firewalls segregating those lans, is another use-case of tunnels I've found handy.
i.e.
your_remote_client_host->internet->fw1->lan1->fw2->lan2->fw3->target_host
Target_host can be reached by doing tunnel-in-tunnel-in-tunnel-in-tunnel. Each tunnel gets you past one firewall. The final tunnel you can just ssh to fw3 via a local tunnel and a local port on your_remote_client now takes you straight to target_host.
[+] [-] stdclass|5 years ago|reply
I once also wrote a guide to access remote IoT devices using SSH tunnels: https://phillip.dornauer.cc/unix/iot/2019/04/12/set-up-ssh-t...
[+] [-] franga2000|5 years ago|reply
[+] [-] IgorBog61650384|5 years ago|reply
[+] [-] shawnz|5 years ago|reply
[+] [-] hmsimha|5 years ago|reply
[+] [-] manuel_w|5 years ago|reply
I also found the following very nice: (Same info but presented in a different way.)
https://unix.stackexchange.com/questions/115897/whats-ssh-po...
[+] [-] brunobronosky|5 years ago|reply
[+] [-] MaxBarraclough|5 years ago|reply
[+] [-] zxcvbn4038|5 years ago|reply
[+] [-] johnchristopher|5 years ago|reply
A lot of tunneling tutorial, medium articles and blog post mixes local and remote port forwarding and use the words interchangeably which cause a lot of confusion.
[+] [-] unilynx|5 years ago|reply