User Tools

Site Tools


Sidebar

Navigation

public:tools:ssh

SSH

Page Disambiguation

This page gives a short introduction to the capabilities of ssh, with examples using OpenSSH and PuTTY.

Tunneling

In computer networks tunneling is when one network protocol encapsulates a different a different payload protocol. Using tunneling allows one to carry a payload over an incompatible delivery-network, or provide a secure path through untrusted network. SSH allows the second one.

The most important SSH functions are:

Local port forwards

  • Allows a port on the local machine to be redirected to a remote reachable one

The Examples show how to forward a Intranet webserver port (80) to your local machine on port 8080.

Remember

It is important to remember that the hostnames in the forward definition
  • the "-L" in OpenSSH
  • the Connection/SSH/Tunnels section in PuTTY

are resolved on the remote machine. So the "localhost" used in the examples is actually the <remotehost>.



Example1:
The webserver is on the remote machine that is accessible via ssh
Local port forward - Example 1


Example2:
The webserver is on a machine which is reachable from the machine that is access via ssh
Local port forward - Example 2

OpenSSH

Example1: This is the application of the example 1 preceding this section.

ssh -L 8080:localhost:80 <remotemachine.remotedomain>

In this case when you access localhost:8080, you are kind of "redirected" to port 80 on the remote machine.

Example2: This is the application of the example 2 preceding this section.

ssh -L 8080:<otherremotemachine.remotedomain>:80 <remotemachine.remotedomain>

In this you access you want to connect to <otherremotemachine>:80. The effect is that when you type localhost:8080 on your machine then the request is forwarded to <remotemachine>:22 which forwards it to <otherremotemachine>:80. So localhost:8080 is directly attached to <otherremotemachine>:80.

public_html example

If you want to use a file upload (FileZilla / Dreamweaver) to your public_html from outside the hslu t&a network, you have to use Port forwarding.
If your using Linux or Mac OSX you can forward your ports as following:

  • Open a Terminal (Hit Command+Space, enter "Terminal" in Spotlight and hit enter)
  • Copy&Paste the following line: (change USERNAME to your Enterprise Lab Login Name)
ssh -L 10022:testbed01.el.eee.intern:22 USERNAME@gw-ext.enterpriselab.ch

If you use Putty:

  • Session :
    • Host Name: gw-ext.enterpriselab.ch
    • Port: 22
  • ConnectionSSHTunnels
    • Source Port: 10022
    • Destination: testbed01.el.eee.intern:22

For both do:

  • Open Dreamweaver/FileZilla and adapt the following Settings: (Change the Username [Anmeldung])

dw_tunnel

Please refer here for external access

This had the effect that localhost:10022 is a tunnel to testbed01.el.eee.intern:22 via gw-ext.enterpriselab.ch:22

PuTTY

Example1:

This is the application of the example 1 preceding this section.

ssh -L 8080:localhost:80 <remotemachine.remotedomain>

In this case when you access localhost:8080, you are kind of "redirected" to port 80 on the remotemachine.remotedomain.

The putty equivalent is then

  • Session :
    • Host Name: <remotemachine.remotedomain>
    • Port: 22
  • ConnectionSSHTunnels
    • Source Port: 8080
    • Destination: localhost:80


Example2:

This is the application of the example 2 preceding this section.

ssh -L 8080:<otherremotemachine.remotedomain>:80 <remotemachine.remotedomain>

In this you access you want to connect to <otherremotemachine>:80. The effect is that when you type localhost:8080 on your machine then the request is forwarded to <otherremotemachine>:80 via a tunnel to <remotemachine.remotedomain>. So localhost:8080 is directly attached to <otherremotemachine>:80.

The putty equivalent is then

  • Session :
    • Host Name: <remotemachine.remotedomain>
    • Port: 22
  • ConnectionSSHTunnels
    • Source Port: 8080
    • Destination: <otherremotemachine.remotedomain>:80

Reverse port forwards

  • Allows a port on a remote machine to be redirected to a locally reachable one

The example shows how to allow a remote machine access to a local webserver

Remember

It is important to remember that the hostnames in the forward definition
  • the "-R" in OpenSSH
  • the Connection/SSH/Tunnels section in PuTTY

are resolved on the local machine. So the "localhost" used in the examples is actually the <localmachine>, in contrast to the prior local forward example.

OpenSSH

Example1:

Assume the following scenario. We have an office computer (machine.office.com) behind its office firewall and your home computer (home.dyndns.org). You wish to setup a SSH connection from your home computer to your office computer. Since the office firewall doesn't allow you to go directly from your home computer to the office, you must initiate connection from the office computer.

 machine.office.com:~$ ssh -R 2210:localhost:22 home.dyndns.org

This opened a listening port (2210) on your home computer. The traffic from port 2210 is then redirected through home.dyndns.org to the port used by machine.office.com to initiate the connection. Since your office machine initiate a ssh session with your home machine on port 22, everything from 2210 goes back to your office computer.

You can now start a SSH session on your home computer:

 home.dyndns.org:~$ ssh -p 2210 localhost


Example2:

Your home computer may not run all the time, so you would like to use a virtual private server which is always online (call it vps.domain) to use it as intermediate. What we want to do is a reverse ssh connection from the office computer to the VPS and on the other side (at home) forward a local port to VPS which is automatically connect the port on VPS which reverse sshed to the office computer.

To enable the reverse ssh on the office, vps must listen on the network interface connected to the Internet, otherwise it will listen on 127.0.0.1, so we have to enable GatewayPorts in the ssh conf.

By default it is disabled, we can enable them:

 vps.domain:~$ vi /etc/ssh/sshd_config

then add, uncomment or modify

 GatewayPorts clientspecified

save the file and restart sshd.

we could have just enable GatewayPorts by typing On instead of clientspecified, that would route any ssh tunnel to network interface. This way we can control which interface is reachable. So run now

 machine.office.com:~$ ssh -R <inet_addr_vps>:2210:localhost:22 vps.domain

What happened? We have a port (2210) opened on the internet network interface of vps.com. When traffic comes to this port, it's encapsulated by ssh sent from vps.com:22 to machine.office.com:init_port then unpacked and sent to localhost:22 (machine.office.com's 127.0.0.1). This is only possible because your office machine initiated the connection, otherwise the firewall would have blocked it. Now, we can access to the office computer from home.dyndns.org using

 home.dyndns.org:~$ ssh -p 2210 vps.com

This scenario is bad, because a attack vector exists so for machine.office.com, since vps.com:2210 is tunnel to the office machine.

We can avoid this with

Example 3:

We have three machines:

  • machine.office.com: Your computer at office
  • myvps.hoster.com: Your Virtual Private Server, you use it as connection intermediate
  • home.dyndns.org: Your computer at home.

We will establish:

  • Reverse tunnel machine.office.commyvps.hoster.com : myvps listening on localhost:2210
  • A tunnel : home.dyndns.org:init_portmyvps.hoster.com:22 : home listening on localhost:2211
  • A SSH session home.dyndns.org(localhost:2211)machine.office.com(localhost:22←machine:init_port) using the previously established tunnels.

Reverse tunnel from machine.office.com to myvps.hoster.com:

 machine.office.com:~$ ssh -R 2210:localhost:22 myvps.hoster.com

Tunnel from home.dyndns.org to myvps.hoster.com

 home.dyndns.org:~$ ssh -L 2211:localhost:2210 myvps.hoster.com

Start the session from home to office

 home.dyndns.org:~$ ssh -p 2211 localhost

PuTTY

Assume the following scenario. We have an office computer (machine.office.com) behind its office firewall and your home computer (home.dyndns.org). You wish to setup a SSH connection from your home computer to your office computer. Since the office firewall doesn't allow you to go directly from your home computer to the office, you must initiate connection from the office computer.

On machine.office.com in putty

  • Session :
    • Host Name: home.dyndns.org
    • Port: 22
  • ConnectionSSHTunnels
    • Source Port: 2210
    • Destination: localhost:22
    • RadioBoxes: select Remote

This opened a listening port (2210) on your home computer. The traffic from port 2210 is then redirected through home.dyndns.org to the port used by machine.office.com to initiate the connection. Since your office machine initiate a ssh session with your home machine on port 22, everything from 2210 goes back to your office computer.

You can now start a SSH session on your home computer:

On home.dyndns.org in putty

  • Session :
    • Host Name: localhost
    • Port: 2210

Dynamic port forwards

  • also know as "SOCKS tunnel", "dynamic application-level port forward" or simply SOCKS Proxy support (which is kind of misleading, see below)

OpenSSH

Creating a SOCKS Proxy (or better dynamic application-level port forwarding) using OpenSSH is pretty straight forward, simply issue a

ssh -D 1080 <remotemachine.remotedomain>

this creates a SOCKS proxy tunnel starting on localhost:1080 and exiting on remotemachine, any application capable of using a SOCKS proxy can now use this connection/tunnel by specifying localhost:1080 as Proxyhost.

PuTTY

If you run putty from command line, you can use

 $ putty.exe -D 1080 <remotemachine.remotedomain>

In

  • Session
    • Hostname the proxy host, let port 22
    • Connection Type choose SSH
    • Saved Session enter a name and save it, so you won't have to renew this configuration each time
  • Connection
    • Seconds between keepalives enter 5
  • ConnectionSSHTunnels
    • Source Port enter 1080
    • Destination leave it blank
    • Make sure you selected Dynamic, then click add.

Go back to Session and click save. When clicking open, your SOCKS proxy starts.

Using SOCKS Proxy

Using a SOCKS proxy is something completely different from creating a SOCKS tunnel. Hence pay attention when using the phrasing "SOCKS proxy support", and show what exactly is meant.

OpenSSH

Using a SOCKS Proxy (or any Proxy for that matter) with OpenSSH is a bit more complicated as it needs an external module for it to work.

Since the Enterprise Lab (.el.eee.intern) uses a private ip address range, you need to use an incoming socks proxy. Tunnel your connection trough our socks5 proxy using the connect module for ssh. The connect module is available from:

Compile using gcc, and put into /usr/local/bin or $HOME/bin or any other place you prefer. Have a look here

$ mv connect $HOME/bin/

Now with the connect module compiled you can tunnel ssh traffic through a SOCKS proxy

$ ssh -o ProxyCommand="/usr/local/bin/connect -S <socks.proxy> %h %p" <remotemachine.remotedomain>

PuTTY

To connect to your resource from outside the HSLU network, you have to get through a SOCKS5 Proxy, Putty has integrated support for these kind of proxy. So we'll see how to configure putty for external access.

Go to SessionHost name enter here the adress of your resource.

Go to ConnectionProxy

  • Proxy type Select SOCKS5
  • Proxy Hostname Enter gw-ext.enterpriselab.ch
  • Port Enter port number 1080

You can now go back to Session and save your connection details as you did for the internal connection.

Use Cases

Here some standard scenarios how we use ssh in the EL on a regular basis:

Remember

In all examples you might have to specify a username if it is not the same on all systems.

see also:

z10 Mainframe & HMC

All z10 and HMC use cases have been moved to a separate document to improve readability.

Access from HSLU to EL Intra

A simple ssh connection from the schools network to the EnterpriseLab

OpenSSH

To access directly testbed from HSLU network:

 $ ssh USERNAME@testbed01.el.eee.intern

Where USERNAME is your Enterpriselab username.

PuTTY

Simple connection with PuTTY

Access from Internet to EL Intra

Our external firewalls don't allow any direct ssh access to any host in the EnterpriseLab, so we use a SOCKS Proxy as Gateway:

OpenSSH

ssh -o ProxyCommand="/usr/local/bin/connect -S gw-ext.enterpriselab.ch %h %p" testbed01.el.eee.intern

where the path is the path to the connect module you previously compiled/downloaded

PuTTY

You don't need a connect-module, since putty has SOCKS5 support.

setting Proxy connect testbed01

  • ConnectionProxy
    • Proxy type select SOCKS 5
    • Proxy hostname type gw-ext.enterpriselab.ch and port 1080
    • Telnet command, or local proxy command type connect %host %port\n
  • Session
    • Host name type the hostname
    • Port 22

Access from Internet to EL DMZ

The DMZ adds an other level, as it is only reachable by ssh from EL Intra. So we need to create a first connection to the EL Intra which then acts as a tunnel for the second connection.

Here you have to use the socks proxy connect module described here.

OpenSSH

Task: You'd like to make an ssh connection from your Notebook to a host in the DMZ (s0003.dmz002.enterpriselab.ch) which is not accessible directly. Either you connect to the hop (testbed01) and from there you connect to the DMZ host, or you create a tunnel to the hop (testbed01) and then you use this tunnel for tunneling your second connection.

First connection (the tunnel)

ssh -o ProxyCommand="/usr/local/bin/connect -S gw-ext.enterpriselab.ch %h %p" -D 1080 testbed01.el.eee.intern

-D 1080 opens a new socks proxy on your local host. It will be used for the second connection (see below).

Second connection (use the tunnel)

ssh -o ProxyCommand="/usr/local/bin/connect -S localhost %h %p" s0003.dmz002.enterpriselab.ch

"localhost" will use the socks proxy on port 1080 defined in the first connection.

PuTTY

First set up a tunnel to a testbed server

In

  • Session
    • Hostname testbed01.el.eee.intern, let port 22
    • Connection Type choose SSH
    • Saved Session enter a name and save it, so you won't have to renew this configuration each time
  • Connection
    • Seconds between keepalives enter 5
  • ConnectionProxy
    • Proxy type choose SOCKS5
    • Hostname gw-ext.enterpriselab.ch, Port 1080
  • ConnectionSSHTunnels
    • Source Port enter 1080
    • Destination leave it blank
    • Make sure you selected Dynamic, then click add.

Go back to Session and click save. When clicking open, your SOCKS proxy starts.

Then use the previously established tunnel to connect the host in DMZ. We will set up a second configuration:

  • Session
    • Hostname s0001.dmz001.enterpriselab.ch, let port 22
    • Connection Type choose SSH
    • Saved Session enter a name and save it, so you won't have to renew this configuration each time
  • ConnectionProxy
    • Proxy type choose SOCKS5
    • Hostanme localhost and Port 1080

Go back to Session and click save. When clicking open, you'll connect the DMZ host.

You will be prompted each time for username and password

Tunnel MySQL

MySQL by default runs on port 3306. To redirect this port we use a local port forward.

OpenSSH

To access a MySQL Server located in the EL intranet from the Internet use the following command:

# ssh -o ProxyCommand="/usr/local/bin/connect -S gw-ext.enterpriselab.ch %h %p" -L 3306:localhost:3306 s0002.intra015.el.eee.intern

PuTTY

Enter Host you want to connect to
MySQL Tunnel 1

got to the Proxy section an enter our proxy details

  • Proxy type: SOCKS 5
  • Proxy hostname: gw-ext.enterpriselab.ch
  • Port: 1080


MySQL Tunnel 2

In the Tunnel Section we define the actual redirect from our port 3306 to the remote systems 3306
MySQL Tunnel 3

Don’t forget to press "Add" before you leave the window else the port forward is not going to be configured
MySQL Tunnel 4

now save the session for later use or simply start it with "Open"
MySQL Tunnel 5

Open port while running session

You have a SSH connection running and you would like open a port forward.

SSH has a command line you can open from inside a session by typing the ESCAPE_CHARACTER + C.

So start a SSH session then, when you are on the remote computer, type ~ (you may have to press space) and then C, a SSH shell should open. You can now type commands in this shell, like:

 user@local.domaine:~$ ssh user@testbed01
 user@testbed01:~$ 
 ssh> -L 10022:localhost:22
 Forwarding port.

You have now your local port 10022 forwarded to your remote machine port 22.

On your local machine you can now establish a connection to testbed with

 ssh -p 10022 localhost -l USERNAME

Advanced Settings

Avoid Session Timeout

To avoid SSH Session Timeouts, just keep talking to the server: Add these two lines to /etc/ssh/ssh_config

ServerAliveInterval 30
ServerAliveCountMax 4

First Line will check all 30 secs if server is alive and keep the Session open. The Second Line defines the max Alive request to fail before closing the session.

Avoid Ubuntu Login Delays

If you experiencing extreme delays when connecting from an ubuntu machine to any of our servers, you have to edit your sshd config:

sudo vi /etc/ssh/ssh_config

And Change GSSAPIAuthentication no UseDNS no

Allow certain users to log in

vi /etc/ssh/sshd_config
AllowUsers root tbschnyd zajoho tagschwa tasuhl tggasser <OTHER_USERS>

Personal config files

Save your ssh config file to ~/.ssh/config

Example

~/.ssh/config
Host testbed1
	User someuser
	Hostname testbed01.el.eee.intern
	ProxyCommand /usr/local/bin/connect -S gw-ext.enterpriselab.ch %h %p
	ServerAliveInterval=15

Host testbed2
	User someuser
	Hostname testbed02.el.eee.intern
	ProxyCommand /usr/local/bin/connect -S gw-ext.enterpriselab.ch %h %p
	ServerAliveInterval=15

Host testbed3
	User someuser
	Hostname testbed03.el.eee.intern
	ProxyCommand /usr/local/bin/connect -S gw-ext.enterpriselab.ch %h %p
	ServerAliveInterval=15

The following command

$ ssh testbed1

will now do the same as

$ ssh -o ProxyCommand="/usr/local/bin/connect -S gw-ext.enterpriselab.ch %h %p" -o ServerAliveInterval=15 someuser@testbed01.el.eee.intern

ATTENTION: Linux users (debian/ubuntu/kubuntu). If you installed the connect-proxy module from the repositorys, your connect binary is located @ /usr/bin/connect

Use authorized_keys file

With authorized key files, you can connect a resource without typing each time your passwords, using a private/public key authentication method. Note that you have to protect your private key from getting available to other people. You can protect it with a passphrase. If you use a passphrase, the key will not be useable unless you type it to make it available to OpenSSH. So this is not helpful if you want ssh to run unattended for some reason. But, on the other hand, it means that someone with temporary access to your account can't just make a copy of the private key file and then use it subsequently.

Creating the key pair

Your key pair is created in .ssh, filename (private key) and filename.pub (public key)

 $ cd .ssh
 $ ssh-keygen -f filename -t rsa

if you want to protect it with a passphrase, type when you're prompted, otherwise just press "enter" twice.

Setting up an authorized_keys file

Once you've created your key pair, you can insert the public half of it into your authorized_keys file on remote computer. A client on computer that knows the private key can then authenticate to your account on the remote computer.

So, on the machine you want to log into, you should add a line to your ~/.ssh/authorized_keys file that contains exactly the single line that was created in the filename.pub file (for whatever choice of "filename" you made).

Login using private key

Use

 $ ssh -i ~/.ssh/filename username@host.domain

You'll be logged in.

Store passphrase for keys

Public key authentication is great, but it is unhandly to always enter the passphrase. Using ssh-agent, this passphrase can be cache in memory.

Add the following section to your .bashrc

# ssh-agent to store keyphrase
SSH_ENV="$HOME/.ssh/environment-`hostname`.`domainname`"

function start_agent {
     echo "Initialising new SSH agent..."
     /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
     chmod 600 "${SSH_ENV}"
     . "${SSH_ENV}" > /dev/null
     /usr/bin/ssh-add
}

# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]
then
        . "${SSH_ENV}" > /dev/null
        ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || start_agent
else
        start_agent
fi

Server Settings

Avoid root login

Edit /etc/ssh/sshd_config and change

PermitRootLogin no

SCP

scp is the copy programm of ssh. Here few cases how to use scp

copy a local file to an remote server through a prroxy host

$ scp -o "ProxyCommand  PATH-TO-CONNECT/connect  -S SOCKS-PROXY-HOST  %h  %p" LOCAL-FILE-TO-BE-COPY   REMOTE-HOST:DESTINATION-PATH/[FILE-NAME]

SSHFS

Linux

You need fuse and sshfs. If fuse is not loaded:

modprobe fuse

If sshfs is not installed (on Debian):

sudo apt-get install sshfs

Mount your share with

sshfs <USERNAME>@<HOSTNAME>:<SERVER-PATH> <LOCAL-MOUNT-POINT>

Windows 7 x64

You'll need Dokan LGPL Fuse implementation for Windows: Dokan Website

  • Download and install Microsoft Visual C plus plus 2008 SP1 Redistributable Package Download Link or 2005 SP1 R. P. Download Link
  • Download and install Dokan library 0.5.*
  • Download and install Dokan SSHFS
  • Download this file and replace DokanSSHFS.exe and DokanNET.dll with the downloaded version
  • Run Dokan SSHFS

Mac OSX

Package install (simple)

If you don't know mac port, and need a simple way to install sshfs with GUI support, follow these steps.

  • Download osxfuse here
  • Install osxfuse (also install fuse compability layer, you can configure this during the installation)
  • Download macfusion here
  • Drag and drop the macfusion app to you Application folder
  • Open and configure macfusion with these settings:
    • Host: testbed03.el.eee.intern
    • User Name: Your Enterprise Lab user name
    • Password: Your Enterprise Lab password
    • Path: /home/username Replace username with your usename from above
  • Mount your sshfs drive (click on mount in the macfusion application)

Port install (advanced)

If you already have mac port installed (or want to install mac ports as described here) and are familiar with it, follow these steps. ATTENTION, you will have no GUI to mount your sshfs mountpoints, if you need a GUI, follow the steps which are described in this document at section Package install (simple)

  • Open a terminal
  • Install sshfs
sudo port install sshfs
  • Mount your sshfs drive
sshfs <username>@testbed03.el.eee.intern:/home/<username> /local/mount/point -oauto_cache,reconnect,volname=elhome

Replace <username> and /local/mount/point with appropriate values

ssh Tips

Enforcement of password authentication:

$ ssh -l <loginname> -o pubkeyauthentication=no <hostname>

or if the servers sshd_conf has keyboard interactive (using PAM)

$ ssh -o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no -l <login> <hostname>  

Links

public/tools/ssh.txt · Last modified: 2018-06-05T21:17+0200 by zwp