You have a installed an application on a remote server, and you want to connect using SSH ? Here is what you can do
Tested Configuration:
MacOS: Sierra 10.15
Local port forwarding
1. Definition
Forwards a port on a computer to another port on the remote server
2. Explanation
Basically, the SSH client (on the computer 192.10.10.10) listens for connections on a configured port (4000 on the picture). When it receives a connection like Please connect to the application “App” on port 5000 hosted on 192.11.11.11, it tunnels the connection to the SSH server on the remote machine (at 192.11.11.11). On the remote machine, the SSH server connects to the configurated destination port (5000, our App).
NB: I mention “computer” but any client machine will do
3. Code
ssh -L 4000:127.0.0.1:5000 root@82.11.11.11
Compared to the ususal ssh command like ssh root@82.11.11.11
for connecting to a SSH server hosted on 82.11.11.11, we add -L
for Local forwarding.
Here, 127.0.0.1 refers to localhost on the remote server!
4. More options
- On the remote machnie, the SSH server connects to the configurated destination port, but it can also be on a different machine than the SSH server.
ssh -L 4000:192.11.11.12:5000 root@82.11.11.11
see this ssh example for more details.
- By default, anyone (even on different machines of the intranet, if your computer is on an intrant for instance) can connect to the specified port on the SSH client machine. However, this can be restricted to programs on the same host by supplying a bind address:
ssh -L 127.0.0.1:4000:192.11.11.12:5000 root@82.11.11.11
5. Troubleshooting
If you encounter this issue : bind [127.0.0.1]:5000: Address already in use
it can be that another process is already using your port. It can be because your SSH port is already runnging in the background, maybe as a zombie process ! You can kill it using this command (change port 5000 if needed) :
lsof -ti:5000 | xargs kill -9
Note : -t
option tells lsof
to produce “terse output” => only PID, so that the output may be piped to kill
useful SSH options
-N
: no remote command to execute
-f
: run in the background
-4
: force IPV4 (maybe useeful if you have ‘Cannot assign requested address’)
-6
: if you need to force IPV6 (you shouldn’t need it)
Local port forwarding with Docker
You can set up from your docker container to use SSH tunneling. Here is a Dockerfile example :
FROM ubuntu:18.04
RUN apt-get update
RUN apt-get install openssh-client
SHELL ["/bin/bash", "-c"]
RUN mkdir work
COPY .ssh/* /work/.ssh/
# here are some default values (can be overwritten by an env.txt for instance)
ENV SSHKEY=id_rsa
ENV TUNNEL_HOST=127.0.0.1
ENV LOCAL_PORT=4001
ENV REMOTE_HOST=86.12.34.12
ENV REMOTE_PORT=27017
ENTRYPOINT ssh -4 -q -o StrictHostKeyChecking=no -i /work/.ssh/$SSHKEY \
-L *:$LOCAL_PORT:$REMOTE_HOST:$REMOTE_PORT \
-fN \
$TUNNEL_HOST \
&& bash
Reference
ssh : ssh example
french version : example
Basics and Tips : hackertarget
ssh options : explainshell
ssh IPs : ipv4 VS ipv6
troublshooting : Address already in use